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(54) METHOD OF SECURING BINDING UPDATE BY USING ADDRESS BASED KEY 
(57)Abstract: 

PROBLEM TO BE SOLVED: To secure binding updates 
in a wireless telecommunications system. 
SOLUTION: A public key is generated by using a home 
address of a mobile host. A home agent, such as a 
router, generates a private key by using public 
cryptographic parameters corresponding to the mobile 
host or the public key. A node of a communication 
destination uses the public key to encrypt a shared key 
and sends the encrypted shared key to the mobile host. 
The mobile host decrypts the shared key by using its 
original private key. The shared key is used for signing 
the binding update. Thereafter, the node of the 
communication destination utilizes the shared key to 
verify the authenticity of the binding update. 
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1 

Mia^w^s LTSsBa^ja-ra^xv -ft, 
m>m 2 ] *-ax-s?x y f (iMia^tt^jt 

[lfi*iJi 3 ] y F t*tul5ffi^il^*jt 

[11*114] BUlB^—AX— i!ufB$5®8i 

x f tiiif set k -r 5 ffi^S 3 
[II*iI5] flJge&IISHfc, «£gliA &M^y- 

lt, »*x h t<Dm~e&Mzn%tmmm 
- s a ms*. s c £ i: -r § n *s a ictsmo 

[ff*Jg6] Bu!3iI{i?c/~His tulB^MSIkfufB 

£ f sit *« 5 tiem©^ 

[if*ijt 7 ] m&m*x h immmmttim ft 

imy~ vicmmtz c fc*«rafcf aawas 5 kiss 

[if*ii 8 ] tula*- ii-^i y f «, tuia^M^ 
5 * - * ^tuiaiifift / - f fcai^-r § c t t f 

[li*« 9 ] MIBi»x F ©*-A7 F bX^ffiffl 

tTiGia^gflii^fiSc^ti^ c t*w4k£tztmm 1 
[ii^iii 0] mtmmy^L>T<Dm4m?Mm* 

^mmtmmmtm ft, »*x f t ©m-pegs 
m%mm%:/~ f £ 2, c t tt^^f 

Ao 

Rlilft*- Ax-/x > F£r£ 6 tciix. § c i: i: 
•1 cI/RF'! 1 OKIBKO^XrAo 

[it *ii 12] Buta*- ax- i? x >■ h h\ Mias^ 
tt i: y-y zct mm ttz it *« 

1 1 KEIOi'Xfi. 

[If *IB 1 3 ] IuIB^UjjFX h ©*-A7 F FX^ffi 

it; l r Mia^ii*^ * n a c t t -r a if *n 

1 OtiaiStDv-Xr Ao 

[i«*xi 1 4 ] Mie*-Ax-s>x y h (iMia^mn 
S£t>H3?$krsif*isi i tiaso5/xf 
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[ii*3S 1 5 ] Mia^-Ax-^x > h a, Miasm 
it ^w^-#£fuia$fj*x htcffiftt-rs^ 

#^i:1-§If*ri l l ^iaigcD'>XxAo 

[if*iii6] afi5tx-F«, mm^mm^^xi^ 

ttummi 5tcia«o^xf-Ao 

[if *ii 1 7 ] M!a»*x h izmmmmttf&m l 

io wmfts- f t &m? %z.h tt& if *ii 1 6 fc 

latgOS/XrAo 

[If *ri l 8 ] Suia^ffii* X F tt, H93a^M^5 ^ - 
III 6 tia*«S/XT-Ac 

[if *ii 1 9 ] mmmm y x f a r*^ffl * *u 
MiaffifS^x- f fc<DHT^^nswts$Mit is^ffi 

^*-ax-^x > h tmm^y- vicmmtz c ttf 

20 X-Fo 

[ff *rf 2 o ] buIB^-Ax-^x y h ti, tutaS^ 

[If*rS2 l] tuiaANlil^s Mia^ttX-F©*- 
A7 F bX*^ o T^fiicS tl« C *f#« k "f 5 If *« 
l 9C|5fE©»l6/-Fo 

[ff *ii 2 2 ] tufa*-Ax-v>x y h ^tuias-s;ii 

-Ho 

30 [if*ri2 3] tuia^-Ax-^xyh^, taaasuB 
®*3 <t tf ^ ^7^-^ # m tag® / - f ica^-r a c 
k d i: £tf»£i-sfraas 1 9 fcnm<D®my- f d 
[if *jg 2 4 ] suiaafi^x - f i±, mib^bb» t Su 

®t?z if *« 2 3 fc mm<Dm) / - f d 

[If*H2 5] WSB^S&y-Ktts Mia«Wi!^ffl 
LTMSaMjSIf ffiMiT^g« U mliaWjStf ?SMIt^M 

laiifi^t / - f t jMis-r § c k » f § if *« 2 4 

40 [ff*rH2 6] Mia^^^y-^^tuiajiM^x- 
f t ffi^-r s fe&fc , stfis-r > ^ - 7 x -x A^ffl $ n 
s c tzwmt? % if *« 2 4 Kim<D®m/~- f d 

[0001] 

[^ois-r^s^if] *mm, mmm^ityxT- 

[0 0 0 2] 

[ffi*«feffi] fi*H^mSS#^6 0/3 5 

50 8, 1 7 7 (2 0 0 2*2 ft 1 9 StUP) 6 0/4 1 



3 

6,029 (2 0 0 2^1 0/130 fflffi) fcS^VTffi 

9um±mtz>o cn^tt rrFux-^-xF- 

-DkM I P v 6ttfomm^ffi (Binding 
Update) (DUB.] i:O^^M^tlT*3D*i 

[0 0 0 3] <4<£n?>ti/c^*;l/ 1 PKOl^t, 

m i p v Qfmmmmb*um?%m*wm$L$kt u 

T> ffi^^ISSSSfH (Return Routabili 
t y) ^S;ttAtl5^S^^SWWIilioaii^*%B^ 

i: ^7 * - v y 7> IS L xmmtfh 5 o 
[0 0 0 4] 

xfii«o; h v-^-y^umnm^mmtnx^ 

<9&ffiiEBl4PS Sftft OT-feo fc„ ftfT©$F^T?t4, 
[0 0 0 5] 

W^^-T § fc <E>#®] *fgBJ! fi , *Mfi * x 
7 AT? <D*feS1S «M*f SftftOi'XfAfcJ: tf 

^ffi*BB^"rSo $'>XfAT'H, »Xf^-A 

->*iv f nwx h t^rii-wifcMjSL/c, aw® 

[0 0 0 6] ffira$fc/-KfciIM*IW#rfS#&, &H) 

H:'f!}/ ^ y< - £ -r 5 «fc a C 5 * v -tr- S> 
^Ax-^xyb^IUT^ iHIyfeX-Ffcfm^ 

it®^ rc^mm^mmtt § 1 1 1, t $t*$ 

L-T^ 7-fe— 7MII3- F**fefet S c h t 
[0 0 0 7] 

[fgiBO^ffli©^®] l7~F, 0BS*#JSSbT, fflffW/S 
Htco^TfBfcl <i &to\ Isj-cDiMSigJi^ co# 
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7FUX -^-XF (ABK), $/ct4<7x — ;b 
• ^7 U fc, Mi^7/S©ffi^t^cS^V 

?>&<DTH4ftt,\, 

[0 0 0 8] f@A©ligiJ?*^-Xt L/cBg^ft (J-X 
T, fflgiJBg^bfcl/^) ^iJfflLfe, MI Pv6T?©*f 

10 Titt^-TSo fBgUHf^fcti, tv^Tyvw, *©I P 
7 F UXH, Sl^^ryF O&MilBU? *&IJMI 

14, &p*w^ /> - * i: t» mmzmmmm 

3lJ&m (I PKG) i^5IWIt«. *'vfe-5?*H&*Ut 

$.§7v^7>F O^W I D i: ^ * -2 
ffl7^ 0 SSfcjUgffl^fttt, tPKG^?»«^ 
5^-^^ft5o y^^7yh(4, ^^^7^7^ 

20 t§c 

[0 0 0 9] Hltt, mB^'^frTf-ZX I P ( I n 
ternet Protocol) ^7 F7— ^©Hfll 
^Tf-to tellit / ^y ;I/7 y -b X I P^b7-?tt, ^ 
SOHSy-K (7*t3^, S/gg&t°y>FS/ct4@ 
/gg^lfi) frGKini, H^/-FI Pf-^^7 
h7-7 1 2 0^r#ty o C0D^«y F7— ^T5i47-^ 
14, »ffl*<D#%&KT?&3 IETF RFC 24 
6 0 i: LTfg^^n/c I P v 6^cD-r>y-^7 h7°n 
Fn^CtdtgftSo 37*7 h7~7 1 2 0E», 
30 I P^W^/^y^'f-y 1 4 0*3^fi8"r5^»©y— 
F;F-y l 3 ooi$ D^iSttStiTfeO, C(7);l/-y 
p{4, ffi*oy>y-*>y F • 7 Fb>yv>y7°P 
WJ;(IV>^-*7 h •;V-T-fy^7a hn;Wc^ 

/c^ffTt/' - F i: yeft / - F i:fl)Kff- ^ ^7 7 F * 
;F— f-fVy'tSo I P^W-zWVy y#-> 1 4 0* 
ffM7^fl^07-h;l/-y l 3 014, ^tiSSftft^ 

7*7 h 7-7 i 2 otsasnfez-F-pfeu, S 

fc, 37*7 r-7-7- 1 2 Ort-eiiMf Sfc46©3S@<?) 
40 7FPX*^1-§o 

[0 0 l o] 7-h;l/-y l 3 oo=&4rt«:tt, +/-^t 
L<t4^l/-^ 1 4 SAli^ftTls^ tnP.t4a-- 
^ft I P 7 F UX*# U F 1 3 5 (D<4 5 

IJj*XF tmM9t/-¥ 1 4 2*37*7 F7-7 1 2 
0 t*>y-7x-X-T^*-Ax-7x7 h (HA) 
fcLT©«&*fli*TV3. fffflAX-F 1 3 5 tt. Jiff 
5tX-F 1 4 2 i:fflfi*l7-5/cy)0*7y-7x-X* 
WLT^«. I'7s!r, JlMynX-FOfUt, SttX-F 

50 fc\ iift^cX-F 1 4 2*\ ^ljj/-F7SSii^t$» 



5 

s D mh f 1 3 5 tmMfts- fi 42 it, ^n? 
ft, ifAyFt^h, mmmm, mmm^y^z.- 

[0 0 1 1 ] ggjy-F 1 3 5(4, *-AU 77i:©l 
OfiLh©*- F 1 4 5 kOHWa'Jf 

F 13 514, *>y r-7-7 l 0 OrtOSaSSSR^ > 

f ffl©»»*«iai'r s «fc a £ 7°n ^7 5 y 7*2 ft t v> 

So ^fty-Fl 3 5t4, t^i7KUX, ffcfe^ 
1 3 5|#^«y F7-^ l OOrt^ftb 
TfcSftL&l^fl&y-F 1 3 5 ©7 F FXfc 
^ti^ 0 ?Btiay-F 1 3 5f4, *>yF7--7 
1 0 0 ftTiSftfc&i^?©— BJWa&ttT F (C 
are Of Address ; COA) Wt§ 0 
Ste^SM— K 1 3 5t4, IPsecWa'Jf-f - 7 
V yx-y 3 yfc <fc o Tf^^n/cMiSIf fSMff y -y -fe 
-y^tfjf S C T\ *-Ai->*iy F £fltt7 F 

[0 0 12] Ax— iftxy MoJ;'a'7 t-U >x— 
i>x y F 1 4 5 It, gtlfty— F 1 3 5 tiUlft/- F 1 

4 2 tf*-Ax- y x y F fecfc 7 * — U yx- ->*i y 
h tiifl^fr 5fc#>©, te$S77-bX*>y F7— £ l 5 
0£Wf£o *-Ax->*iyf l 4 5(4, K 

i 3 5tDFjTfefie^ii»ieiiLT, ii/-Fi 3 5-\ 

1" S , A U y 7 ©;F- £ £ £ & tffifx. ?> ft T t> & 
V\ &*5, *-Ax— i?x> F7 FFX (HA A) 14, 
1 4 5 0*7 r-7-^7FFX;£rJg 

"To 

[0 0 13] HfflTt-tetty F7-7 l 5 0ii, 
<D!17^-bx^yh i 5 5#£trt>0"efc«fcv\, a 

*i77-tx*7 F7-7©#m, « 
mmmmTh d t. © £ -r s. &ts l a n 

3 5fe<t«it«7y-trx*^y ft-, a^o^rtet<fco 

TUfi^ftSo C©j£fc:Mir Sp,«4, *fPJ3©yu£& 
aW^oBUfcjes-f F fc^STtefti/^T, ^©p^ 

[0 0 14] 3iM-P©^iS1fffflM«f*fi!»'rS**'P 
It, mhJ-Y 1 3 5 J:fl©*-Ax->*iyf i 4 

5 fc©ffllc:J3ttsa£&tt£-E«£fCf Sfci&fc, 7 
F FX • ^-X F • S. C ©7 F UX • ^ 
-X F • *-f4, fflB'JB&^fbS/Xr A"PORJ(Bteft*jpJ 
ffl UT, ^flX- F 1 3 5 © I P 7 F UXfcS"3< &IW 

H^So 

[oo i 5] Wa'JrY -7yyx-y 3 y(4, ftp: 

//ftp.isi.edu/in-notes/rfc2401.txt^£ftfc I P-tr 
ta'Jr-f • 7°n F3;Wc«fcoT, 1 3 5 

*-Ax-y x yF i 4 5©ian:iei?tiSo Wa'J 
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» »i5^^«$ftT^Kjy-F 1 3 5-MSI2 

fts D ^®jy— Fi 3 5, *-x,x-y x yh 145, 
fc^miftfty- f i 4 2 ttfigijHg^t^xr/**flij8 
ts, jF-Ax-yxyh i 4 sit, mmmm^&B 

(&Cf, I PKG) , t>L<lt I P KC\OgM7^ 

[0016] ^|&y- F 1 3 5 L < (4, *-A U 
y7±© 1 $/it4?M©^~ Al-y'i> F 14 5 ^CD 

io FiT-t+a'jf-f • 7yyx-y 3 y^5SuL/cy-F 

T&So ^-A'J^tt, M!]y-F©*-A7FFX 

iWiifiWtEisnfts &i&y-K©*-A*>y F7- 
7rtT©-9r/*>y F£3ty 0 Mfry-F i 3 5&, *-y 
F7-7 1 oortosassaj^^MfflcSfft***! 
e#tftft»rtsc t^HiiiT?*So gab/- f i 3 5 

It, *y F7-y 1 0 0 rtO^atffcfcfc^T— BfWfc* 
M7FbXWIt§ct^'t, Wa'Jr^ -77 

yx-y 3 y^fM ft, ilSfSffLT^SMFfT f f 
X^*-Ax-^ x yF 1 4 5fciUDf§o j!M5ty- 
20 F 1 4 2 It, m)W- F 1 3 5 tfilfrtSffl^fcy- F 

zmto mm^y-vit, mm^hix^&w ®m 
y-F 1 3 zn&Mm-^v F7-7i*j 1 00^ 

S&LTfcSffcL&VV ^i&y- F©7 FFX£^A,/£* 
-A7FFX (Ho A) £'WfS 0 ^-Ax-i/i y F 
it, *-A7 F FX£»J 0 ^TT^Rjy- F 1 3 5 fciJI 

[0 0 17] jfc— Ax— i/ x yF 1 4 5 14, 3^-AUy 

yF 1 4 5(4, ^i&y-F©^eit!i^ji-fflSbT, ^ 

30 fjjy-Fi 35^ (&%mmmTHt, miiy-vfr 

OSaift*«P^"rafc«>t, MM7FUX (Co A) I 
P 7 F FX^giy- F 1 3 5 fcil D ST6fi§„ M 
y- F 1 3 5 (4, ^-Ax-y x y F ^/r L/c^7 -y F 
©;F-ry y^mffifSfeft, iifS^y- F i 4 2 t 
©H7;F- Fftjlfb^f LTfefif. ;F- r-gjlfbt 
cfcor, #»jy- F 1 3 5 fcffl^y- F 1 4 2 ©HO 

a{f © u-fy^'M < -r s <i i: s 0 nay- 

Fl 3 514, ^I{t7FFX«I?n§J:, fflll5t 

40 y - f 1 4 2 r .kim^m^^m s c t t> 

FgJift^^T-TSo 7FFX- ^-X F • ^-(4, g 
lijy- F 1 3 5 fcjiM 5ty- F 1 4 2 tf, ^^S^tJS'lf 

•So 

[0018] 7 F FX • ^n— X F • *-Bg^fcft«, 
gUfty- F©jF-A7 F FX^^iJffl LT*©^BB»*4 
Jt7S/ci6©, MiJBI^ftyXrA^SffltSo S/cffl 
BiJH|^ftyX7Att4, SHE, Bi^Uffiffl^O^fe, *3 
«ttfB&#{tfcfettS^Mai: FT, I P v 6 7 F V7M 

so ©n < a e. ft/ciisij -{-mm l/c y xr a^s s 0 <ss>j 



(5) 

7 

IBffitt£j#ffi (I PKG) tt, n>fc 0 3.-^ • 7°D-fe>y 

[0 0 19] mflmmtisXT-kX'tt, /-F<De^- 
;F7 F F*X-^ I P 7 F bXll^fi^n 5 n&W? 

£S&/-F 1 3 5ti, I PKGtaotiiaS 10 

*x f (omm^mm ltc ©s^jtfBSEsnso «J 
^mim^-mm l t t- «y -t-j?*® § 0 * ^ * 

- 5?3HSg ti , * OS®#o«fB« «fc o T Bg#f k £ ft 

^fflgijn^ (&§vHi, XV 7^ • 

ft§„ {M^ftS/TxrAW:, StfMt (+-xX7n 20 

So am-^jfflxsxphp;^, wimuj 

M4«^£ffllfcKiaoT, »D I P K G 

S>, *XF©l^ft^3fcfe£X^T©I PKG^IS 
K-fSc:4:**Rrt6T?*So *-©<fc5ftS'Xy &g 
&i§^\ t^TOIPKG ft*&*f 3 C «t o T$tl£ 
K^^Sffl-rSs^&^U*^:*. l« IIS© 
£SKfc Mtlt Sffifffij^ IPKGtio Tff< 30 

?M $ ft S o 

[0 0 2 0] M^ft^XrAte, » Bt^Uffiffi 

A^#» 0 7 FF-X • ^-X F • AllRtf^it^ 
5 ^ - * * if ^T»7 - F ©AX*f $t ffiSm%tt & fc 
fete, f0SiJ0f^jk^X7A*#AL/iBg-E|-ftK#J©C t 

H,\, ft-£&5>, fgR«?7;Fn*yXA&/h 
$ < U /JvMI^li,fiSS%-(?>jNftfl7j-s 40 

[0 0 2 1 ] AWft/c«^& 
x ^ <fc ^ r ft /a iBS'JB&^{b7;i/ =r u X 

At^^^^-^OdfcTSSo IPKGIi, All 50 
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ft %rctt> tcwawomtrfr d y xi^ttmnt %> x- a~ x 

yF£#ty 0 bv^w»Bif?tt, Hij7-F<D*- 

A7FUX (Ho A) £^& 0 IPKGH IfV7^ 
-^-^fgffl LT8HB»6f£3 1 1 1 fc, ^tt7- F 1 

3 5 taM^/- f 1 4 2 icm&zn?,, anibi^^^ 

^ - ^ S o iS^v X ^ -*-lc J: o T4fiSt$ ti 

SAriB|^/^^-X«, X yb-5^0fil»t> b< ttBg 
^bO^lftflFfcM-^-rS, ^»)/-F 1 3 5 £iIM5fc7 

-f 1 4 2^ /-mwgmmmim^znz, 

[0 0 2 2] 02H W*S1ff8H«f«fil»"rSfc«)0, 
fflSiJB|^ft^X7A©f0iri*^7^X-|lI7$So H 

si/- f 1 3 5 1±, apjUHS'J?^, ipkg^ Lrmm 

"TS^-Ax-^x VM 45 fcjMS (7"n 7^20 
0) o Ar«iJ?ti, »iJ7-Fl 3 5©^-A7F^ 
X (Ho A) ^#t;o ^«]7-F(DA x rjfliltt^ i dBi^ 
7 ;F 3 U X A m e © ^ y i/ i P % ^ JF - A 7 F V X 

mmicmmtzztiz&^x^tbibn&o ipkgi 

i d Bf ^7)ld U XA^fiffl LT«flf«*ft D , IP-b 
mhJ-Y 1 3 5tc, fFfiSc L tzW&M i: P7 Bf K^rMM 

7s (7n^7 2 i o) o n<Dimznrc&mmtm® 

;FJUXA7«, f«S^4fiJc-rS|iitc, IP KGO* 
v y^ffin|-r S 7 0 XA i,m% <0 , Bg^f7;F dT y 

XAo^ia^^^-^ttffiffl^n*^©^ ^»i7- f 

13 5, 7-Ax-7A>h 14 5, *3 «t tf jlflft/- 
F 1 4 2tc«API^7^-7^i67°PX7^>X$n 

nSo 

[0023] f!^;|R7-; / !7/:;-i::.A H&#{t7;l/dTUXAi: 
DPS!7;l/=ruXA*^-tf. ll^fb^ti/cm 

nSo 

ciphertext=E NCRYPT (con ten 
t s, I P u K , Params) 
±IE7;F3 'J XAtcfel^T, 
cipher text-- - Bg-ifi 
ENCRYPT - • -y-t-7*i"^Bg^ft7Sfcfe 
(D«Bg^ft7;FJyXA 
c o n t e n t s • • • ffiI17S 7 -fe— J>'^7 
I P u K • • ■ &»J7- K^fflVSfflgiJ^Mai 
Params • • • I P K G oy^fm^Ay 
Z^ft^ftliMtZo **3, IPuK = H (ID, t i 
me) ^fi8i-rS*&T*{4, 

H • • • I D^bAIHlli^fFS/cfetcf^fj^tlS, f M'J'J 
7;l/iiJXAta--^&A-r>y^ • 7;Fn>JXA 
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i d • • • mzftzrcfcicim^nztimmm^ 

time- • -SNTP (SimpleNetwork 
Time Protocol) /"*— i? a y 4 \Z X o T 

^?n«, ^mm/mmm<D i p v 6»t7i$iBi**-tt j f 

content s^DECRYPT (cipherte 
x t , I P r K,Pa r aras) 

I P r K • • • F©8HMI 10 

DECRYPT- • • l»#£*»Srf SRfcE^SfflBlJ 

^ y-tr— S^lfJiEn— F (message authen 
tcation c o d e : MA C) li, WTOUfi^ 

ma c=MAC (content s.symK) 

mac - - • jSUf^tl/fcKSEh — ^> 

MAC • • • 5*D&|E h-tr>%ffiWf%tcit> 20 

contents- • • |I,f"E£tl3 ^ >y -fe— i 7 *^ 
s ymK • • - ma c©&M#fc£{g#fc<fcoT#&-* 

[0 0 2 4] ^ij/- F 1 3 5 y h 1 

4 5 fflfctt, I P-fc+a ijf-f • 7 V ->l-> a VOU 

•4, Bt ^ v * - * «$ g t msmm*fi£K ®m / - 

F 1 3 5tfiJM'^*fci&fiDffi»5St46'Pa&a. %%f)]J— F 30 
13 5, *-iX-i^i>f 14 5, ^tfafift/- 

f 1 4 2 {i^-ti^nwjHg ^fb^x-fA^ff-rSo * 

1 4 514, WJ"$$ltft$g|3 (I PK 

g) tLTomm%mi&L, fes^ai PKcxg^t 
'4 i; #> tc ^PJHf^/ <7^fcktt, HSj/— F@# 

CD 1 2 8 !f-y KOIPv 6*-A7 Fl^X (H o A) Ic 

[0 0 2 5] MzMm;- F 1 3 5 SfI5'cy- F 1 40 

4 2 fcOSffiMJ&KPRLT, aflft/- F 1 4 2 

y-^^p^y y -t-^sni-rs (7o 7^2 2 

0) „ CC?, iHlfl:/— Kl 4 2 7b^O^»j7-Ft 

iBji-r a 'ikw^f ^ x - $ *s § wi* + v 

F 1 3 5^R-r§*-Ax-i>'x> h 1 4 5)0^/^^ 
— Zftgyyu— Ft* (7D7^2 3 0t3<fct57'P-y 
^2 4 0) o ^tfflfi^/- F 1 4 2 (4, »/- FO 
^r«cj;oTBi^{t^ti/c, l;;f ;«^^!iii]/- F l 3 

5 icmtiit 3 (7*n ^ 2 5 0). 50 
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[0 0 2 6] *LT> ^Sjy-F 1 3 5 ttg^tWSIf 
fSMaftS&M-rSd Ur'v7°2 6 0) o £ 

ijy-F 1 3 5'4, WWcioTffiliL/t^jSlffM 
fp&aflft/- F 1 4 2 fcjM5 0 ilMfty- F 1 4 2 

fifty- f i4 2«, ft-t»*ffioT«SEh-^y*K 

SE7£ 0 LfetfoT, ffiiEOfc&fc:, £S&y-Ktf&lffl 

§et s fe» t , lift wtc u$ia^^ § &ijnt«m#f 
ii^«isisfSMiToii^tTd^sfeai\ afift/- f 

1 4 2 (4, ttJStitfgSttSXDilfcl (Binding A 
cknowl edgement : BA) %&WsJ— F 1 

3 5 'Cjifa-r§(X7 7 7°2 7 0) o 

[0027] ^si^Bg^^y-^^g^'c^iiy- 

F 1 3 5£IE^-f S/cJ6©7°n FXUW4, 

1) ABK Request 

2) ABK R e p 1 y : aKS»fc^7^-^*jim 
[0 0 2 8] hfr&B"Hf^7*-** 

S3tf# L, 7 F UX • ^-X F • *ffll,-»fc#-fr«£» 
ifrSfcfe<D7'n Fn;W4, fcTFfcaRt 4 ocDt' ■y-b- 

1) ABKpl : ^Sj7-F(MN)^"ififty-F(C 

2) A B K p 2 :Sfc$fc/-F(CN)tfsfr--2»x-S> 

3) A B K p 3 :^x-^x>h(HA)fflfft 
/- F(C N)'C7^y-^^Mfi 

4 ) A B K p 4 : jlfffty- F(C N)'4, ^ffljj/- F 

g_ 

aflTfeZ-F 1 4 1 4 5^fo 

^^•5^ — ^*Kfc + +-V">i LTl/^Jf^-, ABKp 2 
*vt-i?£ABK p 3^7-b-^g?$« 0 £5 
fc, \Xf(DWM^'U)Vl P v Oftj&lfffiMfr (BU) 

1 ) B U : F (MN) fcfcilMft/- F (C 
N ) + #JS1S IBSiE-r - * „ 

2 ) b a : aiifty - f ( c n ) \mmy- f cm 
n) icttfc.mm^mK)W ! m%iio a cnp»^7t-i> > 

■co^TtDPlB^iXTt^fa U fSS. 
[0 0 2 9] *-Ax-S>x> h 1 4 5t4, ?<Dh7^ 
>"c-a-Stt§-r^T©^ij/- VcofctbtD IPKG^L 
Tii^L9§o JF-Ax-^xyh 1 4 5 14, iW-^f 
;^7<-^ (Pa rams) %:$MtZ>o ZKD^vt — 
^^4, {0SUfi|^fr:7;l/xi , UXA-c{5J!ffl5tt?»o 
F13 5'4, ts-Ax-i>x7H 4 5t4-3t, 12 
8 t?«y MMy^-^'y h • 7°p F xi;V • yQ 
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(IPv6) *-A7FUX (Ho A) ^rSiJD^TS>n 
§„ :o*-A7FWtt, i#t/WIPv6lfi 
*-Ax-i?i>h 1 4 5 t&Wiy-F 1 
3 5 fM3<D I PWa'Jf-f • 7V->x-> 3 y^rtM-f 

[0 0 3 0] mhy-Y 1 3 5fi, *-Ax-7x7 b 
P r Kfc&MI«^5*-**g#f3o » 
ft/- Kfc<fc£ c <D^Mte, %!J&mm.%i<DfcT£fc9ciL 

7V->x->3 yfcfllJBLfc, l 4 

5 ^®J/-F 1 3 SHT'C^'yt-i/WDffiD©;: 
t7-$5„ *-ii->"i>h 1 4 514, (I P 

r K) , teffl/^ t-f , /^/-^O/Hayi 

SNTP *&m/~- F^iMflf 3„ $®)7- F 1 3 5 
14, gtOSW^I PuK = H 07-A7FU-X, ffi 

&Kj7- F 1 3 5 ft^f 37 F 7X • ^-X F • 
[0 0 3 1 ] »/-F 1 3 5(4, iHt$fc/-F 1 4 2 

^BBfe^/<7^-*<og**i«i&-rs <fc5fc* a b k 

p 1 7<y4?-77£fflfi?c7-F(c{E}l-f 3 0 ^7*y FiM 
{Itc7 F 7X(4, &Wl/- F 1 3 5 <D#-A7 F 

(HoA)m ABKpl^7t-v'li, ^7^- 
73 yf§T'|ili^7^- £ • ^-^3 7 (P 
a r ams ver)t i^l$l/f£^ft^7;7^-f 
SHtRfl-pfeS, H#P^ S N T PtKtGo 

[0032] A B K p 1 7 y -tr-S^gWiSlS iHI 30 
5t/- F 1 4 2 (4, ^K}7- F 1 3 5 <DHs—k7 F7X 

(Ho A) tMi't&Vr'?*.? b • 777f"y7X£ L 
T, 4^77 IPv6 tx-Al-y'i y V • iz^t X 
h • 7FbX (HA A) *^46So MiftZ-F 1 4 2 
(4, HAA^£fe§fefel^f7'>a?int IIAV^ 
7 7 - 7 -{V^J /JM-I U- 5 tlfc/^ * - * £ > ^tlfcttft-f 

3 £2&H$IIBtf#ffiT 5 fcWBT So / W - * 4: 

*&i#iis©#&aTOS£n;fca6, iifg^z-F 1 4 2 

(4*— Ax— ->*i> F £<DfflT*A B K p 2 yt >y4?— 7£ 
A B K p 3 7 >y -tr-i^Mfi-f 3<&g(4& < , A B K p 40 

4 7 <y -t-y^ai 7 - F £ iMo T t> «t V\, 

[0 0 3 3] —77s Jiff 5*6 7— F 1 4 2jWELW* 7 
3 yS^tttfft^tlT^&lv^^-^ fe3W4£S§ 

fflfS^y-Fl 4 2(4, 565t7KPXHAAftH« 
ipjffl LT> A B K p 2 7 •v-b-7^*-Ax-7x 7 h 
l 4 5(c3M3 D f^-Ax->*iyh (H 
A ) 1 4 5 1 3 &M«/IBffi»tf)'*7 M L T , 

[0 0 3 4] 3lfI5t7-F 1 4 2;7A B K p 2 x—l:- 50 
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7 i: A B K p 3 7 y •fe-S^&SiS&lltf A B 

Kp 2^ yfe-^ttWTfc^l-fiiS^tr. 

H oA-||y- F©*-A7 F7X 

Nma c---*-Ax-7x7Mc#c#L7c, W£7'y4z 

-7"ISIiEx7- F 

if£7 yfe-S^SSSEn- Ft4, WTfc^r^HTU XA 
7-€«$tl3o 

nmac=MAC (SHA1 (HAA.Nl) , k_C 
N) 

_kIB777 U XAtc&t^T, 
N 1 : 

k_C N : afi7c7- Ffc^.--^aS5«Ba 
[0 0 3 5] W £xi- F N 1 (4»3; L < «£HIIWfc«7C 
StlS^ 5HI$fc7-Fl 4 2^HI3BfP^c»ft1-S 
£P>^3*-Ax-7x7h l 4 5fcHu |1]-(DS^3 
-K*m^nSo 3fS5t7-Fl 4 2(4, ftjfifigfflb 

[0036] A B K p 2 7 7 ■fe—S*&§ttlfc« 
Ax-7x 7 F 1 4 5 (4$K)7- F 1 3 5 ©*-A7 F 
7X (Ho A) #Kfcfflg;£tlTl/-'3fr*ifc£*S. ^ 
LT*-7x-7x7h 1 4 5(4, 
isJc^-#i6T, A B K p 3 7 'Vfe-S*&iHI$fe7- F 1 4 
2 lc'M%> a 
Params. 

P a r am s_v e r : ^5^ — $(D/1— 7~3 7#-^ 
time: 4^IHa/8H!&«^7© S N T Pfca&BtH 
A F : 7Fl^X«| T Rl77 7 
n m a c 

[0 0 3 7] ^»7-F07s-A7F^X (H o A) 

feg*rtTt^^^-A7F7X7fe3^, ^7 
^-£{I(4*-Ax-7x77 (HA) 14 5t4ot 
^D(cfSS?tl3 0 7 F7X"tJ-MPl7 7 7^iSS^n 
TV^V^l^", ^ft7-F 1 3 5fcmiIW&77£-7 
i-Xj»BiJ?*ffifflLTt,«tV\ am5fe7-F 1 4 2 
(4, 4-A7 FUX<D7 77-7x-Xi(^J-7-i:t(M7 
F7X£D7 7^-7x-XHSiJ7^Pi:7$)3^^S7 
3o 7FUXM»iE77 7*^^nT^3^, f( 
{47 KUXtcfcS;!/— r-r y^gMfcE^RTf Sfcfc©, 
±IE7 7 ^ - 7 x - X Hl^iJ 7 h (4 H & 3 ^fr^ff ffl o tl 
Tfe«t^o ABKp3^>y42-7*^t5?3^, Jlfgft 
7-F 1 4 2(4^7^-7fg^Si!Sb, N4AC (SHA 
1 (HAA.Nl) ,k_CN) x^H+g73o /^7^- 
^fI^4fa(c^$tlT^3ii^, Ifettta^yt 
Ftlt©*n/c^'y4r-7IS!iExi- F (M 
essage Authentication Cod 
e) i/)%S(L^l^ t Mtt7FUXt±KSE£n& 
t\ ^43, jifif,?7/-- v ; 4 2liX7-^'yfe-^g 
p> * l \ ^ 7 ^ - # fil^4i 'a t $ n T I >ft I •> ^1%, 
afSft7-Fl 4 2(4^-Ax-7x7h • xx^-vX 
h • 7 FUX (A B P k 3 7 y t-^OjMff tc7 F 7 
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E = ENCRYPT (k_m, I P u K, P a r ams) 
±!57;l/:fJXATii, 
k_m=SHA 1 (HoA.k.CN) 0 
[0 0 3 8] k_m(i, afs^y-F 1 4 2jWJjSU 

^ft/-K i 3 5 fc#*rf stt&^fcfo & 

@)/-Fl 3 5 0*-Z»7HW (Ho A) fc&Utt/ 10 

ffiffifto^^HA^ija^n*, ^iiy-K 1350 

oTl£^tSnT^«o ABKp4^7t- 
isfr^frnzt, Kl 3 5(ik_m = DECR 

YPT (E,IPrK,Params) ^figffl LTWiSIf 

[0 0 3 9] ttfcfiWRMSMy-fe-^ S^/^/I/ 
I P v eMUKLfctfoT, ^Kl/-F 1 3 5^6iifl 

$BM§T^ 'yfe-^tt^manf w-^^y^a ymm 
tt^tso ttfcmm^r-ZTfy^aymmts &tfk 20 

^•tWA-VMtiittirc^ vfe-5?ggE3- F (MAC) 

Rffi?3F€fcJ\ WTfc^tttaSfr 6 IWS ti*. 
raac=MAC (SHA1 (BU,k„r) ,k) 
lCT?, -fe >y y a yiffi k = S H A 1 ( k_m | k_ r ) 

[0 0 4 0] ttfSfflflrarSMoBHc, gffljy-F 1 3 
5©*-A7FUX (Ho A) £7 F PX^HtRTX^ 30 
yAFtfi&SSftTVfcV>»^ ii{S^/-F 1 4 2 
fcJU ffi^SftfcatflTFU* (Co A) 0^y^-7i 
-^^BWfr-ATKUX (Ho A) (D^y^-7x 

yX&ftjS'htfBMfT/^y F©*-A7 FbX • ^7°y 

&v^§£\ a^y-F 1 4 2«iifti4x7-3-K* 
s^bfe/w y7V <o w$n%mm?%c 

[0041] 7 vuTsmmmy^^A Fffwfeztix 

V^il^ afg5 , c/-Ftt7FbX^WpJ7;b3UX 40 
A^RLT, Sffty-Kl 3 5 #7 K LT 

[0 0 4 2] 7 FbX»if.!E7^7A FtfiftS^tlT 
435. "f, jSjSStlfc&flTKU* (Co A) <?My^- 
7x-Xll&J7^M&|fffiMfT^7-y h©*-A7 FU 
Xt/*i/3VrtC*-A7KW (Ho A) ©yy^- 
T'i-^USU^fc— SWSli^tffeS. Sfc, 7FI/X 
SS*KSE77?A FtffS^StlTfcO, ^®J/-FT~0 
7 F UXg»tfgaESftT^3«£tf&5. V"fft©ig 
(r-eJo^'c o. afaft/- F 1 4 2 t±, k_m= SUA 50 
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1 (HoA, k_CN) fcffWLfcft, k = SHAl 
(k_m | k_r) SgtUfSo ftjS'UffgHlEx 
-^^-7°->3ytDHIE^ : ^e.t#e.nSma cfB^ M 
AC (SHA1 (BU,k_r) ,k) *ltgCTf#5tl 

zmtttm-zz. tic^iQ, mm^s- f i 4 2 
M5t7-F U2I4, saE^s»t#^5nfe<ifc*^-r 

ttJSffifSgtfWOSIfcl (BA) *<yfe-s*£2£S. tL 
aM5t7- Fl 4 2tt, ^iltfifcafeLfcCfc** 
f^lS1W8SitWt)jl»I (BA) *y<k-i?%mZo 
[0 0 4 3] *-Ax-i>'x>h (HA) 14 5^7F 
l^X^M T nl797^£-r§^* A B P k 3 ^ >y-fe 
-v^CT^&^IStK $i&/-F 1 3 514, *-A7 

f ixx©-r y # - 7 x -xiigij-7- tmvjy*-?*- 
xm&-%$m7 f pxtcffiffl-r § Q 7 f ux£»bsie 
77^* t aasstiTv»avtt>^t>5"f, y^-7 

^s. afi5fe/-Fi 4 2 tiftjsif fro? 

7-F 1 3 5K2SSo 

[0 0 4 4] *-Al->*i y h 1 4 5 #7 F UX£& 

%m 7 5 c t , fBj & ^©ftia^ff t»nr c 

t^LT^Si^ ^Bj7- F 1 3 5 ©*-A7 F y 

x<D-ry^-7x-7.ilsij?^mM7 YUXiDZfttm 

ftoTtS^, *-A7FyXtStt7 FUXWfft 

© -r y * - 7 x - x!igy?^fi% § c £ t «fc o t\ w £ 

*-A7 FUX (HoA) £f#oHij/- F 1 3 5 
£Mtt7FUX (Co A) ^aH-rSCt^KfeSWRT 
aft rc7- F 1 4 2 tm)}/~ F 1 3 5 &±t# 

-r§ 0 *-A7 f yx^MM7 Fyx^M-r^fjt l 

T, Hg^fb^tlfc7FyX^A 
[0 0 4 5] £S&/-Ffc*©sfr-A7 FbX^fSM 

^ttBU^ti-So afi^fey-Fi 4 2 a, *-ai-j? 

xyh (HA) 1 4 5^5^5^-^*ESSttUl5o 
[0 0 4 6] #|jj7- F 1 3 5 tf, «^<OA B K p 1 

^•y-b-^jMoTafi^y-F 1 4 2*iifc-r»&s 

afl7t7-F 1 4 2l±^>yb— y^§lt^§oiltc^5 

. x-7*;i/*»a-rs 0 ^ct\ afi7c7-F 1 

4 2^Wa-r§7-Ax-yxy ]- 1 4 5 0/^7^-^ 

-ax— >*i y f^^^-^^v^Ip, afiTt/— 

F 1 4 2 &*-Ax— i>'x yhl45tcABKp2^-y 
•fe-^iloT, f®^7^-^%g*t§„ 7^y<- 

^^a&Lft^ist), afi^y-Fi 42a, abk p 

2 y< y -fe— J?SIrI— O^— Ax— : ^x 45 t-Moi 

L4^„ afi^y-F 1 4 2tt, y^-y-t'-y^^oirxo 
*-Ax-y x yh i 4 5tfl^<«A 
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B K p 2 7 y-fe— i^^feStlfctl^ *-Al-v i i 
yh 1 4 SttfOF^^V^-iTKUX (Ho 

a) ^ty-r^Tfo^yb-^fis^-rso 

[0 0 4 7] S^^y-fe— ^KiE3— K (nmac) * 
fi&Bf 5C£tc<fcoT\ Hf§?c7-Fl 4 2k<£>jHI£ 
fe L < tt^SOA B K p 3 ^ 7 Hr-S^SUl b 

#£ftr <* C T? t § o ^t£© A B K p 4 ^ 7 M—*JK 
HLT, II/-F 1 3 5 2MB Kp 1 *vk-i/<DB 

^tsg#L^o/c^ mmy-Y 1 3 stt^-ns© 10 

>>^iat§„ g«i/-Ki 3 5(t Mjsit$sMff*M 

^Dii^p (ba) ^yfe-s?*jftffi-rao 
[0048] ®my-v 1 3 5, iifa^y-F 1 4 2, 

ftm*ofcmtf j km-%o wimy-v 142a, &»> 20 

MSfr£ftSffi©«tt7KbX (C 
oA) fc3l£ffitj85 0 ABKplfrSABKp3©# 

SrH^I4«^?.o Cfr U A B K p 4 7 y -fe-S^BSE 
[0 0 4 9] flH(DSlW^T\ iHi$fc7— F 1 4 2tf* 

-ii-^iyF 1 4 5ffl©sep^M»aE^«*-&A,-e 30 
mm-9t/- f 1 4 2 a b k p 2 a b 

K p 3m%h?y*f9 TLS (Transpo 

rt Level Security, RFC224 
6) 7°n h P;l/i^|ijfflt^„ ilCTLS^a F xt;WC 
ioT, *-ixX->*i>F • F 7 7+77 7 3 y\<DWj 

[0 0 5 0] ®ms- F 1 3 5 U 7V 1^7 Fi£*£ig 

•t&mi3:%-9-?*y hoWWiiUr FPX (CoA) * 
#A7£, MfStfffiHfT^JifH^/- F 1 4 2 £5££ft 40 
5o jlfaft7- F 1 4 2 14, U 94 h&*©*fc#g 

< Tfe, il/-FOF7t7 U 7V b7 
FlF£ 0 StftfTFUT, (CoA) feim*^ 
il->'i> F 1 4 5 F 1 3 5 tSllO ST 

P>nfc^> £-7 x-^HBU?^ $®J/-F 1 3 5© 

,t-A7Fux (Ho a) k&mtz&SK&ibs—v 

1 3 5 ;_^:]<.) L^t4oT, U 2V b7 M&**66 
lh-etSo 7>7^7x-XfigiH-£*-A7 
F UXJCffiffl-TS C 7, Sfl&y- F 1 3 5 :,]:. F:77 50 
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WlS-T^MftTFl^X (CoA) Utft-©7FUX£g& 
57 — F ^JfM-T S C k £K <'c T * t 5 o 7 - 
F 1 3 5 (4, ?<T<Dmttf7 Fl/X (C o A) II 

7 7-7 ^-TsW.mi'mmt £ 0 ra i»F7« 

hSBftStifc^v Ff4, ^fftttJ:, *-A7 F 
7x^t?*-A7 FP 7 • ff^a y%^$s-frt>x*$> 

[0 0 5 1] H^aLfci9^77-7^ML/clf 
£\ 7 F UX • ^-7. F • (A B K) 5rE!7a F a 
>M4> SWA *-ix-i/*xyF 1 4 5*^7F7X 
•^-XF-+- (ABK) * (^tJ:oTtt» 
t) *f®]7- F 1 3 5 tffi^-TSo A B K#IS7°P F a 
;W4, fctZ.il I A N A (Internet A s s i 
gned Number Authority) tio 
TWO^TSnS^tsK-bts TCP (Transm 
ission Control Protocol) F 
7>X^-F^Wt§o ABK7"nFn;Wi IPs 
ecESP (encapsulating secur 
ity payload) t PW;HPv6| 
JgtaXoT^fl^tlA, *-il-7i>F/M/- 
FWa'Jr-f • 77 7X-7 3 V^ffl^TSISn 
§ 0 ABK7"nFn;Wi, A B KS*k A B KJ58F0 2 
o©7 'y-b-7^itiy7°D bn;l/T?SSo 
[0 0 5 2] 0 3 tt, ABK gi]<7 >y -b-7'(DlM^^ 
ft>0 , e*So ABKS^-yb-^ DrL^ABK 
Ml}/ K 1 3 5frfi*-Ax-7 
x7hl 45t)Mf3tl^o cC^-yt-^OV-Tv/F 
UXtt, i$W7-F^*-A7FU'XT*&§c ^7F 
UXti, *-Ai->*i>F • 7FUXT*fe£ 0 ABK 
7 «yb-^fct4, *-Ai-7i> F fc^iftZ-KKT? 
afisnst+a'Jf-i • 777-X--73 y£#b-ffc 
i6©, ESP — I P s e c^7 77?69 IPseCN'y^ 

o T Bg^f t ? tlT t> «fc V\ A B K S>J< 7 -V b 

0 1 09 x. {f 5 & i? ©JSfil^SS 7 ;!/ rf U X A 
Wg!lW^«3 1 0(4, IfnWO, SlfL/c4^7 
F © 7 ;b U 7' AIfgiJ7 U 3 - F ©#^T? S 0 7 ;!/ df 
U XAaffiiJ^fgJ* 3 2 0(4, I ANAticitSbn- 
FlcSiJDSTBn/c, 2A7 F»l^ft:7;l/d'UXA 
»g!r?*WrSo ^77-7 • /n-7h yt^fS3 3 
0t±, 7;bri , UX7Nli!eiJ7*/T;7, 2/WF©^77- 
7 • A-i>'a > (f'v 

[0 0 5 3] ^ij7-F 1 3 5«*-A*7 F7-7t 

L>7 (CoA) t4-A7FUX (Ho A) 
tfolj-^o •?■ LXWih/— F 1 3 5(4, 4-Ax-7x 
>Fl 4 5-^7-y-fe-^iS Fy^K§L>T\ ffico 
^77-7 F-\©lA7^;F7U77*|H!il7§ 0 »7 
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— F 1 3 5(i, ^ft^ftjS73 7/1/3 UXA^Lft, 

mmm-3< mmtrn =ry XAUiswu x f ^, & 

K)7-K 1 3 5tfil5nT^S/^^'-*OgSf^-i? 
a y#^fifoTV^„ «0|^{fc7/loUXA!$£iJ7 
UXF(4, ^fty-FfcfcoTSfSUMiS, /ci^tf 

[0 0 5 4] IPsecWa'Jf-f •TVv'X-v'a 

y(4, fas*-A7Fi/x (Ho As) ^ffJD^re 

nrclffj/- Kl 3 5 CD*, 45 10 

5(4f£« (I P r K) ^g!±j7£o UtOtx 

— 7x>F i 4 5ti, i%>r»j YnmnftTYVT. ('&m 

^PfcLT©*— A7KUX^*J&"f) t, SNTP 

14 5B, y^Ilii, /W-^i:, 7/l/rfyXAfr5 
8H!B®£tt3o H«B«0£J5JU6*fci\ ABKj£g*ytr 20 
-S>X«y- Fl 3 4 t|SS?tl5„ 

[0055] El 4 AB KJS^^ v -tr-^©*!^^ 
7fc©7$>£o A B KJSSF;* ^—7(4, fMJj/-Fi 
3 5fr5g#Stl*— Al-^'iV F 1 4 5fcWlS1" 

3, r^auXAtc^js-rs^v^-^cDuxh^-g- 
<&o ^(c, mi/- k 1 3 5*^wsi*gaLfcigfc 

llffl L fc, (»<D) &*jjHf Wfitf A B K fS£* v 4r-7 
ttSMo IPWKILT, ABKfS^-y-t-7 
OV-X7HWIi, *-ii->*i>h -7FbX^' 
ft: 7 '4 >!., ?3?g7FI/X(4, F<777-A7 F U 30 

X (Ho A) tfffl^-TSo I P'N^HU *-Ai 
->*iyF/»y-TOWa'Jf^ • 7V7X-7 
3 7KJiE SP-IPse c^X^tt^tl, />7-y 

[0056] x> "t-^m^om^m L, ABK/>v 

■fe-S^SS!3-K^«4 0 OEli0y*tf6fcH0SMiItf 
7(4flii©y< y-fe-^fcEtfttSftS,, 7-X$jHtf»S 

4 1 oti, m^mtmrs^t, 4/uh©iE»* 

^7*-*/*-«*tU3-F««4 2 0(4, 7 40 
;WU XA cT i: ©rM5 Un- F 3 2 

cd;^^-^ • Un- Kfc*- • Lo— FfclBU 

• U3-FgSa«4 3 0(4, 7;WUXA 

45ot, ;^/~$+wmmvx]-mm4 6 o^ 

tf, • U3-F©-fi£ (/WF) * 

tT-7o 7;UP'JXA»7-fi«4 4 0(4, §Un-F(c 
#LT I ANAfc cfcoTfiJD^T&tlXc, 
BiJHf^fb7;I/PUXAliSiJ-T^#tyo 50 
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^a^S^fS«4 5 0(4, 7;l/nUXAI®J7^-r, 

-$+mmmv x hfi«4 e o (4, 7;i/=ru xahsijt- 
y*-$t wmm u x f z^tso 

[0 0 5 7] A B Kg^CjSl^T, Ax-^xVh 
1 4 5(4, Hg^fk^ffiU fro, JI^J^E S P{»vy 

xwtr, ABKjs^'vb-^jiiM'rso 

-F 1 3 5fr#-A*<y F7~?£JSLTV&^i§^ 
ABKj£gy<-y-fe-7(4f(tt7FbX (Co A) £ilt; 

3 5fc«£ft«. C(Di±mW±, F77 
4y#tf&Wl/—\ t 1 3 5<D*-A7FUX (Ho A) 

-Fl 3 5(c<£oTli*£nfc^fr%£77nyXA(c 

,7-Ax-i/'x>F 1 4 5frftjSL&l^±I£, 

8#HStS«4 1 0 • 

4 2 0(4^nWtfa»f o -73, lf»j/-F*W 

737/1/3" U XA£*-Ax-;7x y F AW- F LT 

l/^lf^, &*0lg«tttfDWtt©fit*^ , fo *-Ax 

-:7x7F 1 4 5ftM#S©7/l/3yXA(Cft]SL&^if 

£\ WHZtlfcrfrdV XA©7/l/3 U XAfiS(IWM 

4 4 0fc, U3-Fj^«»l*ns. S/c, 7;l/rfUXA 

^WJSL*1^(4, H 7 ^-^ • M-S>g 

4 5 0(4-tfP^^L, /<7^-^+SH6«®«4 6 0tt 

[0 0 5 8] ^Kj/-f i 3 5 t^-rs«F^o7;i/=r 

^Hffiffi)^ L T ^ § ^- V s 3 y % U 3 - F (4 
S#*tifc7;U=ru XACD771/3 u XA8KBif?ffi« 4 4 
0 fcSff©^7*-2^-S>3 >S-^«4 5 0(Cfe« 
^n§o L^U ^7^-^Tg«I«4 6 0{» 
8H67-F1 3 5(4, *+'y^aLLfe^7^ 
^v^-^A^M, 
7^ S7« Lii^So I P s e c U 7^ • 7V 
fyx-i/a >fc(4, Ax— ->*x>F 1 4 5*^gjy 
- F 1 3 5 K A B K y -t-7*^fg7^ 5 «fc 3 ffi 
iE-T§3^^73 A B 

(ts t, ^»7- ^mmmmm.mumt^rat^ 

7)Vd U XA ^ i: (cf£«i: ^5 ^-^Wt'y->at 

{trildV XA^r^-Ax-7x > F icS*7^ 0 
[0 0 5 9] ^5^-^fflMbiiS7(4, HK/-F 1 
3 5(4, 7-Ax-7x>F 1 4 5 t^^f^fc/^y 
^-^*OTt-rSJ:5tiiM5fe7-F 1 4 2fcg*f 
5c ^# / F 1 3 5 (4, iltfttSffitBifeKli 

^r^fj-rso rtyt—timffltyu fp;w4, abk» 

IEXo F^;bi LTffit>nS, I ANASStJ5fe*^>3 
>a 7 XtfiJD^T 5 nfc^?- F7\ TCP Xn F 
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m^y-Yi 3 sis, &Mtf7uh^fr%:mPh 

73^77-77 >y F7-7(c^&^li£, 
7x 7 h 1 4 5 LT> ABKpU y-b-i^rjl 
{§7g7- F 1 4 2 (7£ h 7*;1/LT, 7°n h n/l/fcUB^ 
T§o ABKp4^ -y 42-7(4, g2p-t^77 I PtiM8 
EioT^ *-Ax-i>iyf 1 4 5^8^LT^®j7 

- F 1 3 5 tM^^n^o A B K p 2 7 y-b-7'i: A B 
Kp3^ y4r-:7(4, afl^Z- F 1 4 2 bt-Ax- 
->*i>f 1 4 5©MW!3 5!!)?n5, 

[0060] 05(4ABKpl7-y 42— ^OgjjSc^ 10 
f o fMo7-F 1 3 5»s-i,*7f7-^tfiHS 
ABKpl^ v-k-islZ&W)/- F 1 3 5^5 
1 4 5^llEl3LTs WJSIffBIISf* 
SitSftfeoyn h LXm\t9t/- F 1 4 2t 

Ih^Mtl^o C©ScD^g7c7FIxXl4, ^i]/ 
-Fl 3 5(D7-77F7772d£ 0 yE7t;7 F 1^7(4, 
jlltyt7-Fl 4 2©7F>XT'fe§„ ffiO^y-b-^ 
£ES'JT£fc^ y<y42— 7Hiyn-F5 0 0iam%- 

i * Eomimm^tn^o r^v xmwi^m^ 

vJM5 1 0t4, 4fn4:D&:*:^©, Jit! L 7c 4 ^7 F 20 
<D777UXAiiSiJ77xi-F#^5 2 0£^7? o 7/F 
i'J XAIi^H-fiia 5 2 0 14, I A N A 74 o T^l-xi 

- Kfcffl o ST^n/c, 2/w h ougij^ ta-if < ug^ 

ft777UX7PiSy : ?£:a& , o /^77-7 • /S-7a 7 

fMtfuss 3 o(4, 7;iouxA!$simctt^£n?>, 

— * • A-7a >#^7(4, ^fj/~F 1 3 5tioT 
fJft«^£tlTl^^7 7-7 • A-7a 

ifo^TW. *-*sbi^Hfii« 5 4 o 14, ^ay 
- vm^^-o^mm^fetz. 4/wfosn 30 

[0 0 6 1 ] 0 6(4, A B K p 2 ^ 7 -fe-^OtM^^ 
To ABK P 2^ y 42-7(4, il{l7t7- F 1 4 2 (c J: 
oT^-Ax-y'iyf 1 4 5(c£H§£tl&o ABKp 
2 * -y-b-i"y)^f, i7:;7 Fl^X(4, fflfgyc/- F 1 4 2 
©7FbXTfe§o £S7t;7FbXt4, \-0; i: X 

*y H*J(7iST §7-7x-7x7 h • xx^++X 
F • 7 FbX7&S„ £©*— Ax— y*iy h • ix^ 
^tXf • 7 F 77.(4, *M?J7-F 1 3 5tf#tf> *- 
77 F 77 • +47* y h • 777 -i >y 7 7 fc 4 o T?77£ 40 
2*i3o y< y -b- 7W(4 , 7 -y 42 - ^^HMfSM 6 0 0 
^#ty 0 7LT, ;*y42-77*fc(Cy<y42-7i§§Uxi- 
F^fOxtf 2 S:201iS;§t?T'iSn4 7 y42-7 
C>j£gll£&#ili-&J§£\ lHIfl«6 1 0(44fn(c^ 
£tl£„ ^42-71111x1- FpI«6 2 0 7i4, % 

%V>* y42-7fIIExi- F (1 6 0 tTy h H-M A C 
S H A — 1 ) %'WSLtZ>o *-77 F 718 6 3 0T 5 
(4, #©J7-F1 3 5^7-77 F77£#£T?>„ 7 
77UX7IiigiJ7#^I«6 4 0(4, Ma&ft<D, MM 
L 7 2 A7 h • 77 7 U X7|§giJ7 Uxi— F coS^tf 50 
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Jt5, 777 U X7f$5b77- U 7 F W®. 6 5 0 (4, I A 
N A £ /c(4ftf!©x77-r 7-4 74 oT&Fxi- F(7f[J D 
^TStl/7 2^7 hMiJBi^ft777-JX7^£f 

•5>o 

[0 0 6 2] i$Sj/-F 1 3 5^5»jMfg$n7'OA B K 
p 1 y<>y-b-7(c^Sti, jlfiyc/-F 1 4 2£*fj£f 
£7^xfUX7©'5'5, 7©^77-7 -^-7*3 711 
*ftf, )ifl7fe7-Fl 4 2(aoT4t'r>aStlft^ 
77-7 • ^-7a >#^-i:^L*l^777UX7^ 
S§o 7;l/d7X7fi£iJ7l>7hT(4, *•©<}: -5 &7;l/ 
7UX7^'#S7§o A B K p 1 7 'yt-^Sl/- 
F 1 3 5 frtbmMZfttcV 7>hti^iS7)ldVXL.<D'P 

^©1^774- -y 7a LTi/^^o, iIMft7- F 1 
4 2(+ABKp2/:yt-^SiLftl\ £tl(4, 31 
M7-F 1 4 2 77 $»J7- F 1 3 5 t>^t57)ldV 
X A t ^-ScT § 7 ;F d y X A^ffiffl "T § ^ 5 7- h % 0 

[0063] 07 (4, ABKp37'y 7-7©|M^^ 
7o ci(D7'y7-7(Dflfl77F77(4, 7-7X-7 
i>M4 5©7KU7t*$«, yErn7F 1^7(4, Jifg 
9tJ— F 1 4 2 ©7 F U7-(?fe?. 0 7 -y-b-7W4, 
7 -y 7-7|IHMii 7 0 0 %t$S 0 H ©m«T(4, A B 
Ky<-y-b-77:$J-L, ^iJx(43^H©@W©7>y4r-7 
^ISxi-F^^nSo A ^7 1 0(4, *IS£x7V7 
FS§i/H4!S:£x]x'7F7#^7So 7-7x 
-7x7h 1 4 5^7-A7FU-7 (Ho A) T^fflT 
^777-7x - 7,!iBiJ7 |W| C 7 7 ^ - 7 x -7li)jiJ 
7*mFJ'7Fb7 (Co A) 7tfgffl754at, f#»J 
7-F 1 3 5 7*i6?.if^, *^XlV7F*W$tl 
§o utUcML, S4?»7F77^!SfE»I^j7n 
Stf^, fg/7xi v^F^ffl^tlSo 7fiiiIJsl7 2 0 
(4, y<'y4z-7)7sfI7^LT7D(c:fS£^t4§o S£7 
'y7-7!SIIxi-FM«7 3 07(4, ABKp 2^yt 
- 7T3HI $ tl7c@£fl h 73 ; 77 5, W£® 7 7 7-7 
ISIIEX7- F (16 0 E'-y h H-MA C S 14 A- 1 ) * 

[0 0 6 4] ^77-7- • 7xi- F# J ^fIM7 4 0(4, 
pJS-1^7y:-7 • >:i- 7 ^77;^ij(4-<7 A?*- 
7 • l^xi-FilW7 5 0(4, &7xi-F£D7cJ6(7 7 
77>JX7„lBiJ7fS«7 6 0, ^77-7 • ^-77 7 
m^vMl 7 0, *547V^77-7pItt7 8 0%*atS, 
;^77-7 • Uxi-FOfi$ 77 b) £#,7T5o 7 
7 7 U X7Ii!^iJ7pMa 760 (4, I ANAt4ot§U 
xi- F7iJ0 STP»7i7c, 2sUh<D®%mmt7)l3 
VXAmftfr^tZo ^7 7-7 -^-73 711^1 
li7 7 0(4, 777UX7I1S777^7 67^, 2/U 
ht0^7y<-7 • ^— 7a yt^5-t7 ^77-7fiI 
if 7 8 0(4, 7 Xl+mmTWt&lcLfctf-DXZtD 
74--V7 h777£?7lS, 7^M^7y<-7fiM7 9 
0^-fixSo 
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[0 0 6 5] 1 3 5©*-A7FbX (H o 

A) fc^TUn— K*j$ -3T^*^i^ *-Ax-i>' 

■tfnfcgft^Sti^ A B K p 3 y vfe-S>*iH8$fc/- 
FtcjS^f S 0 ^5*-* • U3-K#W§E7 4 0W: 

5#\ ABK p 3^'yfe-^t#$tlTJMSnfeUX h 

-F£3t{ffS 0 /^y-^.yV- 10 

HTH4, ^-Ax-^i^h 1 4 514, ^dV^* — * 
^WlTS A B K p 2 y yfe-^fc-&Stlfc#T;Udru X 
AO/cidtc, /^7-* • U3-H*iHttfrSo 
[0 0 6 6] 0 8(4, ABKp4^-yfe-v ; (D|ii?g^ 
to C<Dp«y-b-i?©I PTKUXfittKiiU V-X 
7 F PXtejIflfty- F©7 K UXsWRSf So -75, 
&S7- F<£>*-A7 FUXttJB$fc7 FU-X7ifcSo y 
>y-te-7(4, *y*>-i?m8i$m8 0 0%'£tSo ZLQffi 20 

So W»n-Ffi«8 l 0(4, ^yt->li^ta 

0 • • • 

1 • • • 7;UrfUXA{4'tJ-sH-h^nTV&v\ WhJ 

- F l 3 5 tmm9t/- F l 4 2 ^7;I/3 u XA^^f 
LfciMf^ 3-f r i j #*jgfl£tiSo 

2 . . . /^y-yti^jjLT^So &®S~-V£PiG 
t2>?<T<D7)ldVXl.lC, ^Ai-^iVF 1 4 30 
5 ICioTjS^ftfc/^y — ^OA- 7 s 7f|i§#\ 
^»jy-Fl 3 5fc«toTSI«Snfc^7^-^0^<- 
5>a>««fc LViB^ 3-F T2j tfiHIStl 

S Q 

[0 0 6 7] 7/l/rf'J XABBifi^iS 8 2 o 14, -fe >y 7 
a >il*fFi»/ci6tafI^7- F 1 4 2 Cfc^TffflJ 
nS77xfUXA^-f, 2;W hfiD7;l/druXA»SiJ 
fliHfftStfi2Tl«8 3 0(4, HreffcSttfc-fe 
•y^3>II (E) <D&2*'U bWi7BJ!5frfc7So 
±$L/c<htdD, E (4 ENCRYPT (k_m,IPu 40 
K.Pa r ams) t m l7#J*7feSo Hg*f{t£nfc-tr 

y>3>» (e) (4 tej mMs 4 0fc"gr*nSo 
[0 0 6 8] 7;l/=ruXAWSiJ?tt«fi, £3rS*5<fctf 

- F 1 4 2 (4, F 1 35^ABKpM<y-b- 

So SR£nfc7/l/3 U XA<D^7y-yti, ABKp 
3y>y-fe— 7;&jII;t#— Ax— ->*i> h 1 4 5frt>M 
^4l§Cfc7\ fcSW4, ABKp2tL<iiABK 
p 3 y >y 4? - 7WS&±§£, Mis9t/ — F 1 4 2fr>£ 50 
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fi 4 2t4, awsnfer^JuXAomsri^r^rf 
uXAHgimiigc8 2 orttcwrso why-wtzv 

ttj-fr (c JS C T U 7 h ^Mtflf x. T f> § © T\ iiMfty - 
F 1 4 2 (4, ABKp 1 y y-te-^il ITt^fty- F 
E4o TiMStl/c U X h P4TSa«HI#tcgfe ifiv>7;l/ 

=ruXA*aft-f So 

[0 0 6 9] Bg^ft-b v 7 3 >HkS^C 8 4 0 (4, ^tt/ 

- f 1 3 5 cd^» mm/- f i 3 5 ©*-A7 f u 

X (Ho A) i7 ^-^jBff^&gHi) t7MUX 

#Cy 0 ilEMS^^-V-y H4, 7^a'JXAtfSD 
T£*5nSfe(D7SD, 7;l/3UXAf±«7^S 0 & 
Kj7-F©*-A7FUX (Ho A) £8»LTft^fc 
*-Ax-7'x>h 1 4 5^6-&S^, ilftfty- 
F 1 4 2»4jS«F*vfe-^*a!S3S:l/\> 
[0 0 7 0] ilfa7 f cy- F 1 4 2 (4, ^ffij7- F 1 3 5 
i^Sc-f S 7/1/ xf U XA£*©^7 * - * x «£jI|R7? 

7-t-^CD^g|?^r&fe&nSo FMM^-e 
DfcSSSftTVfc^jf^ SlfaftZ-Fl 4 2lifl&© 

afiTfe/- f 1 4 2 mm/- f i 3 

5^, / >>5;< tfe 1 0(D7;brfUXAil^7y-^ • A 

-i?a yoy{mfttemc£Mtz>i§'£?, mm9ty- F 1 

4 2t4^ML/i7;l/nUXA^Jl^So ffi*^-t±© 

as?E^s ofc < &^ti£«^-n4, jifiTfey- f 1 

4 2(i/>- 4fpm^-F^jM6^;V\ 
[0 0 71] W(S1lHHH»f*fii«1'Sfeii)tCA B K*ffi 

SIEh-^>'_ma c_ti:ttc, «PP^U;H P v 6 

F14 2BI7--3-H13 7 (^aSSIiE) **fjS1f 
ffifillf-jS^ (Binding Acknowledge 
m e n t ) tjiSo 7 F bXMMSII^x y^m<m L 
rzm£, <i-'4:iV'l ; bX (Co A) fcttKSEStlT^fc 

^Lt^t 17- • xi- vmrnj- f 1 3 s 

P>4iSo 

[0 0 7 2] A B KMjS'ff^fftTMffl^tlS^^fS 

B»Jffif#{Wk7;l/ J U XA<o/fctofc, 7;i/xT y XA*^ 
U I ANAtCfc^TS!l0aT5tlfc7;l/druXAfflS 

3- F, A B KJt^y -y-tr-7rt0^vy-^+ I P r 
KnS«^^t.-r7*-^'y k ABKp 3^742-^ 
(D/^^—^mW.^tityt-^y h, fecfcOfABK 
p4^7 -b-^rtOHg^t-fe 'y 5/ 3 7Hpi^^a^-T7 

4- V7h4M«t§, f±S^$.So cofilitt, 7> 
* - * «y h Kffi * X y 7 * -XHPS* 4 o TiWS * 
ns 0 ffc, I AN At4oT|iJ^^T5»nS^t7n 
bzjuorctbic, TC P77-y hS^^feBflSo 5 
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zic&My-Fi 3 5t>\ fozmwrFux ceo * 

A) '\OgM*KiiE£ftfc^«#tt, fVOM P/U 
[0 0 7 3] «±, i«%^I«I*#iLoo« 

[0 0 7 4] 
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[ias©fS¥&!^] 

[0 1 ] te|^A-f;l/7^-bX IP (Interne 
t Protocol)*"; h V— ?<D— %tibffl"1*& 

[gi2] m^mmMffizumtzrctb®, mmmt 

%/ X r A o H SI M £ ^ f 7 ^- 0 "V h S o 
[03] ABKgt^7t-^MM^§„ 
[0 4] A B «yfe-^©«|fi)tM"P*«o 
[0 5] ABKpl^ v-fe-^OfcJigflfl-efcSo 
[0 6] ABKp2^7 *Z~i?0Ml$m~?&%o 
[0 7] ABKpS^'y fc-^ftSflTefcS,, 
[0 8] A B K p 4 * y fc-S^DfcfigGrcfc 3, 
[ff^tDfM] 
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SECURING BINDING UPDATE USING ADDRESS BASED KEYS 
RELATED APPLICATIONS 

This application claims priority to the earlier filed provisional U.S. 
patent applications serial number 60/358,177, filed February 19, 2002 and 
5 serial number 60/416,029, filed October 3, 2002, both entitled "Securing 

MIPV6 Binding Update Using Address Based Keys (ABK)/' which are 
incorporated by reference herein. 

BACKGROUND 

The results of known Mobile IP design work and technical discussions 
trend toward accepting Return Routability (RR) as the basic technique for 
securing MIPv6 Binding Update (BU). A wide variety of proposed 
mechanisms for Return Routability exist Yet, there is recognition that Return 
Routability has drawbacks, both in terms of its security properties and also 
performance. 

While identity based cryptosystems are known in the cryptographic 
community, they have not been used in the networking security community. 
The Diffie-Hellman technique remains the reigning standard. Moreover, until 
recently, there have been no known identity based cryptographic algorithms 
that could be used to perform encryption. The existing algorithms have been 
restricted to digital signature calculation, and therefore have been limited in 
scope. Recent work has established new algorithms, based on elliptic curves, 
which allow encryption to be performed as well. 

BRIEF SUMMARY 

A system and method are disclosed for securing Binding Update in a 
25 wireless telecommunications system. A public key is established using a 

home address value of the mobile host. Thereafter, a home agent generates 
a private key using public cryptographic parameters, that corresponds to the 
mobile host and the public key. 

When the mobile host initiates a conversation with a correspondent 
30 node, the mobile host sends a message via the home agent to the 
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correspondent node requesting that the correspondent node obtain the public 
cryptographic parameters from the home agent. If the correspondent node 
does not have the cryptographic parameters, the correspondent node obtains 
the parameters from the home agent. The correspondent node uses the 
5 mobile host's home address and the cryptopara meters to encrypt a shared 

secret key which is sent to the mobile host via the home agent. The mobile 
host decrypts the shared secret using the private key, and uses the shared 
secret to calcufate a message authentication code on the Binding Update. 
The correspondent node authenticates the binding update by examining the 
10 message authentication code, using the shared secret key. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates an exemplary wireless, mobile access, Internet 
Protocol network. 

FIG. 2 is a ladder diagram illustrating the use of an Identity-based 
1 5 cryptosystem to secure a Binding Update. 

FIG. 3 illustrates an exemplary ABK Request message. 
FIG. 4 illustrates an exemplary ABK Reply message. 
FIG. 5 illustrates an exemplary ABKpl message. 
FIG. 6 illustrates an exemplary ABKp2 message. 
20 FIG. 7 illustrates an exemplary ABKp3 message. 

FIG. 8 illustrates an exemplary ABKp4 message. 

DETAILED DESCRIPTION 

Presently preferred embodiments of a mechanism for securing 
telecommunication Binding Update are described herein with reference to the 

25 drawings, wherein like components are identified with the same references. 

The security mechanism includes the use of Address Based Keys (ABKs) or 
other encryption methodsfrom the Weil paring and cryptosystems based on 
pairing for shared secret encryption. The descriptions contained herein are 
intended to be exemplary in nature and are not intended to limit the scope of 

30 the invention. 
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A system and method are described for securing M!Pv6 Binding 
Updates using identity-based cryptography, identity-based cryptography 
includes a body of cryptographic techniques that allow a client to use a public 
Identifier, such as its IP address, as its public key. The client obtains private 
keys, along with a set of public cryptopara meters, from an Identity-based 
Private Key Generator (IPKG). A correspondent wanting to encrypt a 
message uses the client's public identity along with the public 
cryptoparameters. The correspondent obtains the public cryptoparameters 
from the IPKG. The client decrypts the message using its private key. 

FIG. 1 illustrates an exemplary wireless, mobile access, Internet 
Protocol (IP) network 100. The wireless, mobile access, IP network 100 has a 
fixed node IP data network 120 comprising numerous fixed nodes (not 
shown), i.e., fixed points of connection or links. Data is communicated within 
and over the network in accordance with Internet protocols such as Internet 
protocol version 6, specified as IETF RFC 2460, which is incorporated herein 
by reference. Built on the core network 120 is a collection of gate routers 130 
which collectively form an IP mobile backbone 140 and function, in 
accordance with the conventional Internet addressing and routing protocols, 
to route packets of data between source and destination nodes connected to 
the network. The gate routers 130 forming the IP mobile backbone 140 are 
themselves nodes of the core network 120 and have unique IP addresses for 
communication over the core network 120. 

Connected to each of the gate routers 130 are servers or routers 145, 
which also have unique IP addresses and function as Home Agents (HA) to 
interface mobile hosts, such as Mobile Nodes 135, and Correspondent Nodes 
142 to the core network 120. The Mobile Node 135 includes an interface to 
communicate with the Correspondent node 142, and vice versa. The 
Correspondent Node 142 may also be mobile. The Mobile Node 135 and 
Correspondent Node 142 may include different kinds of mobile, wireless 
communication devices including cellular handsets, cellular telephones, hand- 
held computers, personal information managers, wireless data terminals, and 
the like. 
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The Mobile Node 135 has an established security association with one 
or more home agents 145 on a home link. The Mobile Node 135 is 
programmed to detect moves between different points of attachment In the 
network 100. The Mobile Node 135 can be identified by a Home Address 
5 (HoA), i.e., an address of the Mobile Node 135 which does not change as the 

mobile node moves through the network 100. The Mobile Node 135 acquires 
a temporary care of address (COA) in each visited location of the network 
100. The Mobile Node 135 signals a change in care of address to the home 
agent 145 by sending a Binding Update message, secured by using an IPsec 
1 0 security associati on. 

The agents 145 have a wireless access network 150 by way of which 
the Mobile Node 135 and Correspondent Nodes 142 communicate with the 
Home and Foreign Agents 145. The home agent (HA) 145 can be 
implemented with a router on the home link that tracks the current location of 
15 the Mobile Node 135 and relays packets to, and \n some cases from, the 

Mobile Node 135. A home agent address (HAA) is a network address of the 
home agent 145. 

The wireless access networks 150 may include multiple wireless 
access points 155. The construction, arrangement, and functionality of the 
20 wireless access networks are conventional and standard. Similarly, the 

implementation of wireless LAN or similar digital data communication 
technology in wireless, Mobile Node devices 135 and wireless access points 
155 is standard. Detailed description thereof is not necessary to a complete 
understanding and appreciation of the present invention and is therefore 
25 omitted. 

To help ensure a secure connection between the Mobile Node 135 and 
the Home Agents 145, a mechanism for securing telecommunication Binding 
Update uses Address Based Keys. Address Based Keys use long-standing 
results in identity based cryptosystems to construct a public key based using 
30 the IP address of the Mobile Node 135. 

A security association is constructed between the Mobile Node 1 35 
and the Home Agent 145, by using IP security protocol (IPsec) found at 
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ftp://ftpJsi.edu/in-notes/rfc2401Jxt. The security association allows 
cryptographic parameter information to be distributed to the Mobile Node 135 
in a confidential and authenticated fashion. The Mobile Node 135, the Home 
Agent 145, and Correspondent Node142 implement the identity based 
cryptosystern. The Home Agent 145 includes an identity based Private Key 
Generator (IPKG) or includes secure access to an IPKG. 

The Mobile Node 135 is preferably a node which includes an 
established security association with one or more Home Agents 145 on its 
home link. The home link includes the subnet in the Mobile Node's home 
network where the Mobile Node's home address is topological^ located. The 
Mobile Node 135 can detect when it moves between different points of 
connection in the network 100. The Mobile Node 135 can acquire a 
temporary care of address in each visited location in the network 100, and 
signal a current care of address to the Home Agent 145 using the security 
association. The Correspondent Node 142 includes a node with which the 
Mobile Node 135 communicates. The Correspondent Node may Itself be 
mobile. The Mobile Node 135 includes a Home Address (HoA) which can 
include an address of the Mobile Node 135 which does not change as the 
mobile node moves through the communications network 100. The Home 
Agent can assign the Home Address (HoA) and send the Home Address 
(HoA) to the Mobile Node 135. 

The Home Agent 145 can be Implemented with a router on the home 
link. The Home Agent 145 can be used to track the Mobile Node's current 
location and relay packets to, and in some cases from, the Mobile Node 135. 
To specify the Mobile Node's current location, a Care of address (CoA) IP 
address can be assigned to the Mobile Node 135. The Mobile Node 1 35 can 
perform Route Optimization with the Correspondent Node 142 to avoid routing 
packets through the Home Agent 145. Performing Route Optimization 
decreases the latency of communication between the Mobile Node 135 and 
the Correspondent Node 142. The Mobile Node 135 performs Route 
Optimization by sending a Binding Update to the Correspondent Node 142 
when the care of address is changed. Address Based Keys (ABK) is a 
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technique that allows the Mobile Node 135 and Correspondent Node 142 to 
verify the authenticity of the Binding Updates. 

The Address Based Keys (ABK) encryption technique includes an 
identity based cryptosystern used to generate the Mobile Node's public key 
5 from its Home Address (HoA). Other identity based cryptosystems may be 

used such that it allows a publicly known identifier, such as the IPv6 address, 
to be used as the public key for authentication, key agreement, and 
encryption. The Identity based Private Key Generator (IPKG) includes an 
agent, such as a computer processor, that can execute an identity based 
1 0 cryptographic algorithm to generate the private key when presented with the 

public identifier that will act as the public key. 

Identity based cryptosystems include cryptographic techniques that 
allow a publicly known identifier, such as the email address or the IP address 
of a node, to function as the public key part of a public/private key pair for 
15 digital signature calculation, key agreement, and encryption. In identity-based 

signature protocols, the host, e.g. Mobile Node 135, signs a message using a 
private key supplied by the IPKG. The signature is then verified using the 
host's identity. In identity-based encryption, the encryptor uses the recipient's 
public identity to encrypt a message, and the recipient uses its private key to 
20 decrypt the ciphertext. As is generally the case with public key cryptography, 

the security of the systems depends on the difficulty of solving a hard number 
theory problem, such as factoring or a discrete log (or Diffie-Hellrnan) 
problem, identity- based cryptosystems can be constructed with or without 
key escrow. Protocols with key escrow can be performed in fewer passes 
25 than corresponding systems that do not provide for key escrow. Techniques 

from threshold cryptography allow the master key information to be distributed 
or shared among a number of IPKGs so that all of them can collude for a 
host's private key to be known to them. Such a scenario would allow for key 
escrow if necessary, by agreement among all the IPKGs, but guards against 
30 knowledge of the private keys by the IPKGs without mutual agreement. 

Identity-based cryptosystems include cryptographic systems that allow 
a publicly known identifier, such as an IPv6 address, to be used as a public 

6 
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key for authentication, key agreement, and encryption. Address Based Keys 
(ABK) is a cryptographic technique where an rdentity-based cryptosystern is 
used to generate the Mobile Node's public key and private key using Public 
Cryptographic Parameters. Elliptic curve (EC) algorithms are preferred for 
5 identity based keys because they work well with small key sizes, are 

computationally efficient on small hosts, such as small wireless devices, and 
generate smaller signatures. Other types of algorithms such as non-EC 
algorithms may also be used such as by using abelian varieties in place of 
elliptic curves. 

1 0 Public Cryptographic Parameters include a collection of publicly known 

parameters, specific to the identity-based cryptographic algorithm, formed 
from determined constants and a secret master key that is known only to the 
Identity -based Private Key Generator (IPKG). The IPKG includes an agent 
that can execute an identity-based cryptographic algorithm to generate a 

15 private key when presented with a public identifier that will act as the public 

key. A preferably public identifier includes the Mobile Node's Home Address 
(HoA). The IPKG uses a secret master key to generate the private key, and 
to generate the public cry ptopara meters which are distributed to the Mobile 
Node 135 and Correspondent Nodes 142. The public cryptopara meters are 

20 used to perform cryptographic operations between two nodes involved in 

securing or encrypting a message, such as the Mobile Node 135 and the 
Correspondent Node 142. 

FIG, 2 is a ladder diagram illustrating the use of an Identity-based 
cryptosystern to secure a Binding Update. At 200, the Mobile Node 135 

25 submits a publicly known identifier to the Home Agent acting as IPKG 145. 

The publicly known identifier includes the Home Address (HoA) of the Mobile 
Node 135. The Mobile Node's public key is calculated by applying a hash 
function specific to the id cryptographic algorithm to the concatenation of the 
Home Address (HoA) and a determined expiration time, for example one 

30 hour. At 210, the IPKG uses an id crypographic algorithm to generate the 

private key and returns the private key and the expiration time to the Mobile 
Node 135, encrypted using the IPsec security association. The public and 
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private keys can then be used for authentication and encryption. Identity- 
based cryptographic algorithms require that a secret known only to the IPKG 
is used lo generate the private key. As a result, unlike the Diffie-Hellrnan 
algorithm, the publicly known parameters of the cryptographic algorithm are 
5 not fixed, and therefore are not preprogrammed into the Mobile Node 1 35, 

Home Agent 145 and Correspondent Node 142. If secret master key expires 
or becomes compromised, the publicly known parameters are updated. 

An identity-based encryption scheme includes an encryption algorithm 
and a decryption algorithm. Encrypted material, i.e., ciphertext, can be 
1 0 calculated using the following algorithm: 



ciphertext = ENCRYPT{contents,IPuK,Params) 



where: 

15 

ciphertext - The ciphertext. 

ENCRYPT - The identity-based encryption algorithm used to encrypt 
the message contents. 

contents - The message contents to be protected. 
20 IFuK - The identity-based public key for the MN. 

Params - The public cryptographic parameters of the IPKG. 



Note that IPuK = H(ID, time), where 

H - A hashing algorithm specific to the identity-based algorithm used 
25 for generating the public key from the ID. 

ID - The publicly known identifier used to generate the key. 
time - Simple Network Time Protocol (SNTP) Version 4 for IPv6 
expiration time of the public/private key pair. < 



30 The ciphertext can be decrypted using the following algorithm: 

contents = DECRYPT (ciphertext, IPrK, Params) 
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10 



where: 

IPrK - The identity-based private key for the mobile node. 
DECRYPT - The identity-based decryption algorithm used to decrypt 
the ciphertext. 

A message authentication code (MAC) can be calculated using the 
following scheme: 

mac = MAC{contents, symK) 

where: 



15 mac - the computed authentication token. 

MAC - the symmetric-key-based message authentication code 
algorithm used to compute an authentication token for a message, 
contents - the message contents to be authenticated 
symK - the symmetric key shared by the sender and recipient of mac. 

20 

A IPsec security association is required between the Mobile Node 1 35 
and the Home Agent 145. The IPsec security association is used so that 
cryptographic parameter information and private key information can be 
securely distributed to the Mobile Node 135, The Mobile Node 135, Home 

25 Agent 145, and Correspondent Node 142 all implement an identity based 

cryptosystem. The Home Agent 145 performs as the identity based Private 
Key Generator (IPKG) or has secure access to an IPKG. Initially, the Mobile 
Node 135 is configured to have an identity-based public/private key pair that 
is associated with its 128-bit IPv6 Home Address (HoA), along with the public 

30 cryptographic parameters. 

At 220 f after the configuration phase, the Mobile Node 135 sends a 
parameter retrieval initiation message to the Correspondent Node 142, such 
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as when the Mobile Node 135 begins a connection with a Correspondent 
Node 142. At 230 and 240, If the Correspondent Node 142 has not already 
recorded or cached the associated public cryptographic parameters, the 
Correspondent Node 142 securely downioads the parameters from Home 
5 Agent 145 of the Mobile Node 135. At 250, the Correspondent Node 142 then 

sends the Mobile Node 135 a shared secret key encrypted with Mobile Node's 
public key. 

At 260, the Mobile Node 135 can then securely send the Binding 
Update. The Mobile Node 135 can send the secured Binding Update to the 

10 Correspondent Node 142 by authenticating the Binding Update with the 

shared secret session key. The Correspondent Node 142 can verify the 
authentication token by using the shared secret session key. There is no 
need to send the public key itself or any certificate. Also, since a symmetric 
key method is used to authenticate the Binding Update, there is no need to 

15 perform potentially slow public key cryptographic operations on each Binding 

Update. At 270, the Correspondent Node 142 can send a Binding 
Acknowledgement (BA) to the Mobile Node 135. 

The protocol for securely distributing the private key and cryptographic 
parameters to the Mobile Node 135 includes the following two messages: 

20 

1) ABK Request: request private key and parameters 

2) ABK Reply: return private key and parameters 

The protocol for obtaining the cryptographic parameters from the HA 
25 and establishing a shared secret key using ABK includes the following four 

messages. 

1} ABKpl: MN->CN - parameter cache directive 
2) ABKp2: CN~>HA - request for parameters 
30 3) ABKp3: HA->CN - parameter return 

4) ABKp4: CN->MN - parameter cache directive response 



10 



(26) 



IB 2003-324419 



ABKp2 and ABKp3 are not necessary if the Correspondent Node 142 
has cached the Home Agent 145 parameters- 
Standard Mobile IPv6 Binding Update are used:. 

5 1) BU: MN->CN - Binding Update + binding authorization data 

2) BA: CN->MN - Binding Acknowledgement 

These messages are described in more detail below. 

The Home Agent 145 can serve as an IPKG for all Mobile Nodes within 

1 o the domain of the Home Agent 145. The Home Agent 145 generates public 

cryptographic parameters (Params). The parameters are used with the 
identity-based cryptographic algorithm. The Mobile Node 135 uses the 128- 
bit IPv6 Home Address (HoA) assigned to the Mobile Node 135 by the Home 
Agent 145. The Home Address (HoA) is also used as the basis of the IPsec 

1 5 security association between the Home Agent 135 and the Mobile Node 135 

in the base Mobile IPv6 specification. 

The Mobile Node 135 then requests the private key IPrK and public 
cryptographic parameters from the Home Agent 145. The request can be 
accomplished any time prior to the Binding Update being sent, e.g., through 

20 an exchange of messages between the Home Agent 145 and the Mobile 

Node 135 using the pre-existing IPsec security association. The Home Agent 
145 returns IPrK, the parameters, the version number of the parameters, and 
the SNTP time that the public/private key pair expires. The Mobile Node 135 
can compute its public key as IPuK = H(HoA, expirationjirne). Message 

25 formats are described below for configuring and updating the Mobile Node 

135 with its ABK. 

The Mobile Node 135 sends an ABKpl message to the Correspondent 
Node 142 to cause the Correspondent Node 142 to initiate a request for the 
public cryptographic parameters. The source address of the packet is the 
30 Home Address (HoA) Mobile Node 135. ABKpl contains a 

Parameters_version (Params_ver), e.g., a version number of the parameters, 
and a time SNTP field, e.g., an expiration time of the public/private key pair. 
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Upon receipt of ABKpl , the Correspondent Node 142 formulates HAA 
as the Mobile IPv6 Home-Agent anycast address for the subnet prefix of 
Home Address (HoA) of the Mobile Node 135. The Correspondent Node 142 
checks for Params (of the correct version number) and the same expiration 
5 time cached for the HAA. If so, the Correspondent Node 142 does not need 

to send messages ABKp2 and ABKp3 and may send message ABKp4. 

If the Correspondent Node 142 does not have Params of the correct 
version number cached or if the Correspondent Node 142 has an earlier 
expiration time cached, the Correspondent Node 142 sends an ABKp2 to 
10 Home Agent (HA) 145, e.g., using the destination address HAA. This 

assumes that valid public/private key pairs associated with a particular Home 
Agent (HA) 145 (PKG) include the same expiration time. 

If the Correspondent Node 142 needs to send ABKp2 and ABKp3, 
ABKp2 contains the following fields: 

15 

HoA — the Home Address of the Mobile Node. 
Nmac - Home-agent-dependent nonce MAC. 

The nonce nmac is: 
20 nmac = MAC(SHA1 (HAA, N1), k_CN) 

where 

- N1: nonce 

~ k._CN: a secret key that only the CN knows 

25 

The nonce N1 Is preferably refreshed periodically, but the same nonce 
is used for all Home Agents 145 with which the Correspondent Node 142 
corresponds during the same time period. The Correspondent Node 142 can 
also cache recently used nonces. 
30 Upon receipt of ABKp2> the Home Agent 145 determines whether the 

Home Address (HoA) of the Mobile Node 135 is a known home address. The 
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Home Agent (HA) 145 returns ABKp3 to Correspondent Node 142 with the 
following fields: 

- Params. 

5 - Pararns_yer: version number of the parameters 

- time: SNTP expiration time of the public/private key pair. 

- AF: Address change authorization flag 

- nmac. 

10 If the Home Address (HoA) is not a known home address, Params is 

set to NULL by the Home Agent (HA) 145. If AF is not set, then the Mobile 
Node 135 can use a globally unique interface identifier. The Correspondent 
Node 142 determines that the interface identifiers of the Home Address and 
the care-of address are the same. If AF is set, another method of authorizing 

15 the care-of address to change the routing could be used. Upon receipt of 

ABKp3, the Correspondent Node 142 checks Params and computes 
MAC(SHA1(HAA r N1)> k_CN). If Params is set to NULL or if nmac does not 
match the computed MAC value then authenticated fails. The Correspondent 
Node 142 does not send an error message. If Params is not NULL, the 

20 Correspondent Node 142 caches HAA (source address of message ABKp3)> 

the parameters, the version number of the parameters, the current key 
expiration time, and the address change authorization flag. 
ABKp4 contains the following field: 

25 E - ENCRYPT{k_m, IPuK, Params) 

where 

k_m = SHA1(HoA, k_CN). 



30 



k__m is a secret key that the Correspondent Node 142 generates and 
shares with the Mobile Node 135. The key is encrypted with the public key 
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10 



15 



IPuK of the Mobile Node 135, which may be derived from the Home Address 
(HoA) of the Mobile Node 135 and the public/private key expiration time. 
When the Mobile Node 135 receives ABKp4, it computes k_m - DECRYPT(E, 
IPrK, Params) to use in computing the Binding Update. 

A Binding Update message can be sent from the Mobile Node 1 35 to 
the Correspondent Node 142 according to standard Mobile IPv6 procedures. 
In addition to the standard fields, the Binding Update contains a Binding 
Authorization Data option, which contains a MAC calculated over the following 
fields: 

The BU contents (including HoA). 
kjr - random value generated by the Mobile Node. 

The Authenticates calculated as follows: 

mac = MAC(SHA1(BU, k_r), k) 

where the session key can be computed as k = SHA1(kjm | k_r). 

20 Upon receiving the Binding Update, if the address change authorization 

flag AF is not set for the Home Address (HoA) of the Mobile Node 135, the 
Correspondent Node 142 determines whether the interface identifier on the 
proposed Care of Address (CoA) matches the interface identifier on the Home 
Address (HoA) in the Home Address Option of the Binding Update packet. If 

25 the Interface identifier does not, the Correspondent Node 142 sends a Binding 

Acknowledgment (BA) with the appropriate error code. 

If AF is set, then the Binding Update begins an address change 
authorization algorithm to determine whether the Mobile Node 135 can 
change the address. 

30 If AF is not set and the interface identifier on the proposed Care of 

Address (CoA) matches that of the Home Address (HoA) in the Home 
Address Option of the Binding Update packet or if the AF is set and the 

14 
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address change Is authorized, the Correspondent Node 142 computes k_m = 
SHA1(HoA, k_CN) and then computes K = SHA1(k_m | kjr). The 
Correspondent Node 142 then verifies the Binding Update by comparing the 
value mac from the Authenticator in the Binding Authorization Data option to 
5 MAC(SHA1(BU, kjr), k). If the two values match, the Correspondent Node 

142 sends a Binding Acknowledgment (BA) message that indicates success; 
otherwise, the Correspondent Node 142 sends a Binding Acknowledgment 
(BA) message that indicates failure. 

The Mobile Node 135 uses the same interface identifier for its Care of 

10 Address {CoA) as in the Home Address (HoA), unless the Home Agent (HA) 

145 has indicated otherwise in ABKp3 by setting the Address Change 
Authorization flag. If the flag is not set and a different interface identifier 
appears in the binding update, the Correspondent Node 142 rejects the 
Binding Update and sends an error Binding Acknowledgment (BA) to the 

15 Mobile Node 1 35 that indicates that the Binding Update is rejected. 

The Mobile Node 135 may use a different interface identifier for the 
Care of Address (CoA) if the Home Agent 145 has indicated by setting the 
Address Change Authorization flag that some procedure is in place. The 
different interface identifier allows the Correspondent Node 142 and Mobile 

20 Node 1 35 to agree on a way of authorizing that a Mobile Node 1 35 with a 

particular Home Address (HoA) is allowed to change to a particular Care of 
Address (CoA). Cryptographicaily generated addresses and AAA are 
examples of such procedures. 

The Mobile Node/Home Address (HoA) association can be verified, 

25 The Correspondent Node 142 receives parameters directly from the Home 

Agent (HA) 145. Also, only the true Mobile Node 135 can decrypt the shared 
secret key, which is used to generate the session keys that authenticate the 
Binding Updates. 

If a Mobile Node 135 attempts to flood a Correspondent Node 142 with 
30 ABKpl messages, for each message, the Correspondent Node 142 checks a 

parameters table to determine if the Correspondent Node 142 has the 
parameters for the relevant Home Agent 145. If not, the Correspondent Node 
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142 sends an ABKp2 message to the Home Agent 145 to request 
parameters. The Correspondent Node 142 will not send an ABKp2 message 
to the same Home Agent 145 more than once unless the parameters have 
expired. The Correspondent Node 142 does not create state, if a Home 
5 Agent 145 is flooded with ABKp2 messages, the Home Agent 145 discards all 

messages that include a Home Address (HoA) that is not in the domain of the 
Home Agent 145. 

The nonce MAC nmac is used to prevent attackers who might attempt 
to initiate communications with the Correspondent Node 142, or ffood the 

1 0 Correspondent Node 142 by using message ABKp3. For a flood of ABKp4 

messages, the Mobile Node 135 ignores any messages if the Mobile Node 
135 did not initiate an ABKpl message. The Correspondent Node ignores 
Binding Update messages whose MACs cannot be verified. The Mobile Node 
135 ignores Binding Acknowledgment (BA) messages from nodes with which 

15 Mobile Node 135 did not initiate a Binding Update. 

if an attacker on one path between any two entities (Mobile Node 1 35, 
Correspondent Node 142, Home Agent 145) can alter messages, at worst the 
Binding Update would fail. The Correspondent Node 142 could continue to 
send Mobile Node packets to an old Care of Address (CoA). Since messages 

20 ABKpl through ABKp3 are not signed, a possibility exists to change them. 

However, if message ABKp4 is encrypted in a way that ABKp4 can aiso be 
authenticated, ABKp4 cannot be changed. The Binding Update is 
accomplished with MAC, so that the Binding Update is not susceptible to a 
data alteration attack. 

25 Alternatively, if the Correspondent Node 142 includes a standard public 

key certificate for the Home Agent 145, the Correspondent Node 142 can use 
another protocol, such as a TLS (Transport Level Security, RFC 2246) 
protocol to transact ABKp2 through ABKp3. The TLS protocol can prevent an 
attack on the Home Agent transaction. 

30 A redirect attack can occur if the Mobile Node 135 can send the 

Correspondent Node 142 a Binding Update containing an false Care of 
Address (CoA) in a different subnet that corresponds to the victim. The 
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Correspondent Node 142 will then redirect the Mobile Node's traffic to the 
victim, even though the victim has no interest in the traffic. Redirect attacks 
can be prevented by requiring that the Mobile Node 135 use an interface 
identifier assigned to it by the Home Agent 145 in the Home Address (HoA) of 
5 the Mobile Node 135 to also form the Care of Address (CoA). This prevents 

the Mobile Node 135 from forming a Care of Address (CoA) that corresponds 
to any node other than itself. The Mobile Node 134 uses the same interface 
identifier in every Care of Address (CoA). Use of the same identifier does not 
limit route optimization because route optimized packets contain a Home 

1 0 Address Option containing the home address anyway.. 

An ABK distribution protocol provides the Mobile Node 135 with an 
ABK from the Home Agent 145 initially and periodically if necessary when the 
key expires or if the parameters change. The protocol uses TCP 
(Transmission Control Protocol) transport to a port to be assigned, for 

15 example, by IANA. The protocol can be secured using IPsec ESP and the 

Home Agent/Mobile Node security association defined by the base Mobile 
IPv6 specification. The protocol contains two messages, an ABK Request 
and an ABK Reply. 

FIG. 3 illustrates an ABK Request message. The ABK Request 

20 message is sent by the Mobile Node 135 to the Home Agent 145 to request a 

new ABK. The source address is the Mobile Node home address. The 
destination address is the Home Agent address. An IPsec Header such as an 
ESP IPsec header for the Home Agent/Mobile Node security association can 
be included, and the packet can be encrypted using the shared key. The ABK 

25 message type code 300 is set to an identifier, such as 5. The #A!g. ids 310 is 

the number of four byte algorithm identifier records to follow, which is not 
zero. For each record, the Alg. Id 320 includes a two byte identity-based 
cryptographic algorithm identifier, assigned by IANA. Params_ver 330 
includes a two byte parameter version number for the algorithm identifier. 

30 If the Mobile Node 135 is not on the home network, the Mobile Node 

135 establishes a valid binding between the Care of Address (CoA) and 
Home Address (HoA) before sending this message and reverse tunnel the 
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message to the Home Agent 145 to avoid ingress filtering on the foreign 
subnet. The Mobile Node 135 includes a list of identity-based cryptographic 
algorithm identifiers indicating the algorithms that the Mobile Node 135 
supports, and the version numbers for the latest version of the parameters 
5 known to the Mobile Node 135. The list may be in order of the Mobile Node 

preferences, for example, with the most preferred algorithm first. 

The IPsec security association assures that only Mobile Nodes 135 
with valid, assigned Home Addresses (HoAs) can communicate with the 
Home Agent 145. Upon receipt of an ABK Request, for each algorithm in the 

10 list in which the parameter version is not equal to the most current version, the 

Home Agent 145 calculates IPrK. First, the Home Agent 145 calculates IPuK 
using the source address of the packet, e.g., the Home Address (HoA) as the 
public identifier, and an SNTP expiration time for the key. Next, the Home 
Agent 145 uses IPuK, the parameters, and the algorithm to calculate IPrK. 

15 The results are returned to the Mobile Node 134 in the ABK Reply message. 

FIG. 4 illustrates an ABK Reply message. The ABK Reply message 
contains a list of parameters for the algorithms requested by the Mobile Node 
135 and supported by the Home Agent 145. An expiration time value also is 
included, which the Mobile Node 135 used to compute the public key. 

20 Regarding the IP fields, the Source Address is the Home Agent address. The 

Destination Address is the Home Address (HoA) of the Mobile Node, 
Regarding IP Headers, the ESP IPsec header for the Home Agent/Mobile 
Node security association is included, and the packet is encrypted using the 
shared key. 

25 Regarding the Message Fields, the ABK message type code 400 is set 

to a number, such as 6, that differentiates the message from other messages. 
The Key Expiration Time 410 inctudes a four byte positive integer giving the 
time that the key expires. The #Param/Key Recs 420 includes the number of 
per algorithm variable length records including parameters and keys to follow. 

30 For each record, the Length of Param/Key Rec. 430 is the Length, in bytes, of 

the parameter record to follow, including the Alg. Id. 440, Params__ver 450, 
and Parameters + IPrK list 460. The Alg, Id 440 is a two byte identity-based 
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cryptographic algorithm identifier, assigned by (ANA. The Pararns_ver 450 is 
a two byte parameter version number for the algorithm identifier. The 
Parameters + IPrK 460 is a variable length parameters + IPrK list, the format 
of which is specified by the algorithm identifier specification. 
5 The Home Agent 145 returns an ABK Reply message in response to 

an ABK Request, encrypted and with the proper ESP security header. The 
ABK Reply message can be tunneled to the Mobile Node 135 at its CoA if the 
Mobile Node 1353 is not in a home network, just as with other traffic routed 
through the Home Address (HoA) of the Mobile Node 135. If the Home Agent 

10 145 does not support any of the algorithms requested by the Mobile Node 

135, the Key Expiration time 410 and #Param Recs 420 fields are zero. 
Otherwise, these fields are other than zero. If the Home Agent 145 does not 
support a particular algorithm, a record can be included with the indicated 
algorithm's Alg. Id 440. if the algorithm is not supported, the Params__yer 450 

15 field is zero and no Parameters + IPrK field 460 is used. 

!f the parameter version in the ABK Request for a particular algorithm 
supported by the Mobile Node 135 is current, a record can be included with 
the indicated algorithm's Alg. Id 440 and the current Params_ver 450, but no 
Parameters + IPrK field 460 is needed. The Mobiie Node 135 can continue to 

20 use cached parameters and IPrK until the parameters change or its key 

expires. The IPsec security association assures that the Home Agent 145 
can send the Mobiie Node 135 an ABK Reply. Upon receipt of the ABK 
Reply, the Mobile Node caches the IPrKs and parameters for each algorithm, 
for use in securing Binding Updates. When the keys expire, the Mobile Node 

25 135 requests a new private key IPrK for the identity-based cryptographic 

algorithms that the Mobile Node 135 supports. 

During the parameter initialization phase, the Mobile Node 135 
requests that the Correspondent Node 142 initialize the parameters from the 
Home Agent 145. The Mobiie Node 135 operates the parameter initialization 

30 protocol when the Mobile Node 135 changes IPrK and parameters. The 

protocol uses TCP over the IANA TBD assigned port as used for the ABK 
distribution protocol. The Mobile Node 135 can reverse tunnel ABKpl 
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through the Home Agent 145 to the Correspondent Node 142, if not located 
on the home network, to initfate the protocol. ABKp4 can be tunneled through 
the Home Agent 145 to the Mobile Node 142 by standard Mobile IP 
mechanisms. ABKp2 and ABKp3 are exchanged between the Correspondent 
5 Node 142 and Home Agent 145. 

FIG. 5 Illustrates an ABKpl message. ABKpl is reverse tunneled from 
Mobile Node 135 through the Home Agent 145, if the Mobile Node 135 is not 
located on the home network, to the Correspondent Node 142 to being the 
protocol for securing a Binding Update- The source address is the Home 

10 Address of the Mobile Node 135, The destination address is the address of 

the Correspondent Node 142. The ABK message type code 500 is set to a 
number to differentiate from other messages, such as 1. The #A!g. Ids 510 is 
the number of four byte algorithm identifier records 520 to follow, greater than 
zero. For each record, the Alg. Id 520 is a two byte identity-based 

15 cryptographic algorithm identifier, assigned by IANA. The Params_ver 530 is 

a two byte parameter version number for the algorithm identifier. The 
parameter version number identifies the version of the parameters currently 
held by the Mobile Node 135, The Key Expiration Time 540 is a four-byte 
SNTP time which identifies the expiration time of the Mobile Node's key. 

20 FIG. 6 illustrates an ABKp2 message, ABKp2 is sent by the 

Correspondent Node 142 to the Home Agent 145, The source address is the 
address of the Correspondent Node 142, The destination address is the 
Home Agent anycast address located in the Mobile Node's subnet, 
determined by the Home Address (HoA) subnet prefix of the Mobile Node 

25 135. The Message Fields include a Type field 600. The ABK message type 

code is set to a number different from other messages, such as 2. The 
Reserved field 610 is set to zero upon transmission and ignored on reception. 
The nmac field 620 identifies nonce MAC, a 160 bit HMAC SHA-1 value. The 
HoA field 630 identifies the Home Address of the Mobile Node 135. The #Alg. 

30 Ids field 640 identifies the number of two byte algorithm identifier records to 

follow, which is not zero. For each record, Alg. Id 650 identifies a two byte 
identity-based cryptographic algorithm, assigned by IANA or another entity. 
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The algorithm id list identifies the algorithms supported by the 
Correspondent Node 142 that were Included in the lis! sent by the Mobile 
Node 135 in ABKpl , for which the version number of the parameters cached 
by the Correspondent Node 142 does not match that sent by the Mobile Node 
5 135. The Correspondent Node 142 does not send ABKp2 if the 

Correspondent Node 142 has a set of cached parameters with a version 
number matching at least one of the algorithms on the list sent by the Mobile 
Node 135 in ABKpl. The Correspondent Node 142 uses the matching 
algorithm. 

10 FIG. 7 illustrates an ABKp3 message. The source address is the 

address of the Home Agent 145. The destination address is the address of 
the Correspondent Node 142. The Message Fields include a Type field 700. 
The ABK message type code is set to a unique message number, such as 3. 
The A field identifies an Unset and Set command. The Unset command is 

15 used if the Home Agent 145 requires the Mobile Node 135 to use the same 

interface identifier for CoAs as for the Home Address (HoA). The Set 
command is used if a different address change authorization procedure is 
used. The Reserved field 720 is set to zero upon transmission. The nmac 
field 730 identifies nonce MAC, a 160 bit HMAC SHA-1 value that matches 

20 the nonce value sent in ABKp2. 

The #Param Recs 740 identifies the number of variable length 
parameter records to follow. For each record, the Length of Param Rec field 
750 identifies the length, e.g., in bytes, of the parameter record to follow, 
including the Alg. Id. 760, the Paramsjver 770, and the Parameters 780. The 

25 Alg. Id field 760 includes a two byte identity-based cryptographic algorithm 

identifier, e.g., assigned by IANA. The Paramsjver field 770 includes a two 
byte parameter version number for the algorithm identifier. The Parameters 
field 780 includes a variable length parameters list 790, the format of which 
can be determined by the algorithm identifier specification. 

30 If the Home Agent 145 has no record of the Home Address (HoA) of 

the Mobile Node 135, the Home Agent 145 returns ABKpS with the #Param 
Recs. field 740 set to zero. Otherwise, #Param Recs. field 740 is not set to 
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zero. If the Home Agent 145 does not support one of the algorithms on the 
list sent in ABKp3, the Home Agent 145 sends a record with the indicated 
algorithm's identifier in the Alg. Id field 760, the Params^ver field 770 is set to 
zero and no parameters exist in the Parameters field 780. Otherwise, the 
5 Home Agent 145 includes a parameter record for each algorithm included in 

ABKp2 for which the Home Agent 145 has parameters. 

FIG. 8 illustrates an ABKp4 message. Regarding the IP Fields, the 
Source Address is the Correspondent Node's address. The Destination 
Address is the home address of the Mobile Node. The Message Fields 
1 o include the Type field 800. The ABK message Type field 800 code is set to a 

unique message number, such as 4. A Status Code field 810 includes a code 
indicating a message status. Exemplary recognized codes foJJow: 



15 



0 - Status OK. 

1 - No algorithm supported. A T code is returned if the Mobile Node 
135 and the Correspondent Node 142 do not share an algorithm in common. 



2 - Parameters out of date. A "Z code is returned if the version 
20 numbers of the parameters returned by the Home Agent 142 for all algorithms 

shared with the MN are newer than the version numbers provided by the 
Mobile Node 135. 



The Alg. Id field 820 is a two byte algorithm identifier for the algorithm 
25 to be used by the Correspondent Node 142 to encrypt the Session Key. The 

Length of Encrypted Key field 830 identifies the length, in bytes, of the 
encrypted session key (E). As described above, E can equal ENCRYPT(k_m, 
IPuK, Params). The Encrypted Session Key (E) is contained in the 'E' field 
840. 

30 The algorithm identifier specification contains the format of the shared 

key and other data. The Correspondent Node 142 selects an algorithm from 
the list sent by the Mobile Node 135 in ABKpl for which parameters are 
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available as returned by the Home Agent 145 in ABKp3, or cached by the 
Correspondent Node 142 if no ABKp2/ABKp3 message was necessary. The 
Correspondent Node 142 includes the selected algorithm's identifier in the 
Alg. Id field 820. The Correspondent Node 142 can select the algorithm 
5 closest to the beginning of the list sent by the Mobile Node 142 in ABKpl , 

since the list is sorted by order of Mobile Node preference. 

The Encrypted Session Key field 840 contains the session key, 
encrypted using the public key (calculated from the home address (HoA) of 
the Mobile Node 135 and the key expiration time) and the algorithm 

1 0 parameters. The format of this field depends on the algorithm and is included 

in the algorithm specification. The Correspondent Node 142 does not send a 
return message if the Home Agent 145 indicates that the Home Agent 145 
does not recognize the Mobile Node's Home Address (HoA), 

If the Correspondent Node 142 is able to select an algorithm with 

15 parameters on which the Correspondent Node 142 and Mobile Node 135 

agree, the Status Code field 810 is set to zero and the remainder of the 
message is filled. If the Status Code field is not zero, the Correspondent 
Node 142 does not include any other fields. If the Correspondent Node 142 
and Mobile Node 135 can agree on at least one algorithm and the parameter 

20 versions match, the Correspondent Node 142 selects that algorithm. The 

Correspondent Node 142 does not send a nonzero status code unless there 
are no matching choices. 

A Mobile Node 135 using ABK to secure Binding Updates includes a 
standard Mobile IPv6 Binding Authorization Data extension, with the 

25 authentication token _mac_, calculated as described above, in the 

Authenticator field. The Correspondent Node 142 verifies the Authenticated, 
as described above, if the Authenticator fails to be verified, the 
Correspondent Node 142 returns a Binding Acknowledgement (BA) with error 
code 137, Invalid authenticator. If the address change authorization check 

30 fails, an error code is sent that the Mobile Node 135 is not authorized for that 

CoA. 
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For an identity-based encryption algorithm to be used in ABK Binding 
Updates, a specification exists to describe the algorithm and provide, an I ANA 
assigned algorithm type code, a format of the Parameters + JPrK field in the 
ABK Reply message, a format of the Parameters field in ABKp3, and a format 
5 of E in ABKp4. The specification is established by IETF standards action. A 

TCP socket number is determined for the protocol, to be assigned by [ANA. A 
Mobile IP Binding Acknowledgement error code may be determined for when 
the Mobile Node 135 is not authorized to change to a particular Care of 
Address Co A. 

1 o While the invention has been described above by reference to various 

embodiments, It will be understood that many changes and modifications can 
be made without departing from the scope of the invention. It is therefore 
intended that the foregoing detailed description be understood as an 
illustration of the presently preferred embodiments of the invention, and not as 

15 a definition of the invention. It is only the following claims, including all 

equivalents, which are intended to define the scope of this invention > 
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CLAIMS 

1. A method of securing binding updates in a wireless 
telecommunications system, the method comprising: 

generating a public key using a publicly known identifier; 
5 generating a private key using the public key; and 

utilizing the public key and the private key to secure binding 

updates. 

2. The method of claim 1 wherein a home agent generates the 
public key. 

10 3. The method of claim 1 wherein a home agent generates the 

private key. 

4. The method of ciaim 3 wherein the home agent provides the 
private key to the mobile host. 

5. The method of claim 4 further including a correspondent node 
15 connectable with a mobile host, wherein the public key, a shared key and a 

public parameter are used to secure binding updates between the mobile host 
and the correspondent node. 

6. The method of claim 5 wherein the correspondent node encrypts 
the shared key with the public key and the public parameter. 

20 7. The method of claim 5 wherein the mobile host uses the shared 

key to sign the binding update and sends a signed binding update to the 

correspondent node. 

8. The method of claim 5 wherein the home agent provides the 
public parameters to the correspondent node. 

25 9. The method of claim 1 wherein the public key Is generated using 

a home address value of the mobile host. 
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10. A system for securing binding updates in a wireless 
telecommunications system, comprising: 

a mobile host connectable to the telecommunications system; 
a correspondent node connectable with the mobile host, wherein 
5 a public key and a private key are used to secure binding updates between 

the mobile host and the correspondent node. 

1 1 . The system of claim 1 0 further including a home agent 
connectable with the mobile host and correspondent node. 

12. The system of claim 1 1 wherein the home agent generates the 
1 0 private key and a public parameter. 

13. The system of claim 10 wherein the public key is generated 
using a home address value of the mobile host. 

14. The system of claim 1 1 wherein the home agent generates the 
private key. 

15 T5. The system of claim 1 1 wherein the home agent provides the 

private key and public parameters to the mobile host. 

16. The system of claim 15 wherein a correspondent node encrypts 
a shared key with the public key and public parameters. 

17. The system of claim 16 wherein the mobile host uses the shared 
20 key to sign the binding update and sends a signed binding update to the 

correspondent node.. 

18. The system of claim 16 wherein the mobile host provides the 
public parameters to the correspondent node. 

19. A mobile node for use in a wireless telecommunications system, 
25 comprising: 

an interface capable of connecting the mobite node to a home 
agent and a corresponding node, wherein a public key and a private key are 
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used to secure binding updates between the mobile node and the 
correspondent node. 

20. The mobile node of claim 1 9 wherein the home agent generates 
the private key and a public parameter, 

5 21 . The mobile node of claim 1 9 wherein the public key is generated 

using a home address value of the mobile node. 

22. The mobile node of claim 1 9 wherein the home agent generates 
the private key. 

23. The mobile node of claim 1 9 wherein the home agent provides 
10 the private key and public parameters to the mobile node, 

24. The mobile node of claim 23 wherein the correspondent node 
encrypts a shared key with the public key and public parameters. 

25. The mobile node of claim 24 wherein the mobile node uses the 
shared key to sign the binding update and sends a signed binding update to 

1 5 the correspondent node. 

26. Hie mobile node of claim 24 wherein the interface is used to 
provide the public parameters to the correspondent node. 
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ABSTRACT 

A system and method are disclosed for securing binding updates in a 
wireless telecommunications system. A public key is generating using a 
home address value of the mobile host. Thereafter, a home agent, such as a 
5 router, generates a private key using public cryptographic parameters, that 

corresponds to the mobile host and the public key. The correspondent node 
uses the public key to encrypt a shared key and sends the shared key to the 
mobile host. The mobile host decrypts the shared key using the private key 
and uses the shared key to sign the binding update. Thereafter, the 
10 correspondent node utilizes the shared key to verify the authenticity of the 

binding update. 
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